Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Control behavior and guidance - AWS Control Tower

Control behavior and guidance

Controls are categorized according to their behavior and their guidance.

The behavior of each control is one of preventive, detective, or proactive. Control guidance refers to the recommended practice for how to apply each control to your OUs. The guidance of a control is independent of whether its behavior is preventive, detective, or proactive.

Control behavior
  • Preventive – A preventive control ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations. The status of a preventive control is either enforced or not enabled. Preventive controls are supported in all AWS Regions.

  • Detective – A detective control detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. The status of a detective control is either clear, in violation, or not enabled. Detective controls apply only in those AWS Regions supported by AWS Control Tower.

  • Proactive – A proactive control scans your resources before they are provisioned, and makes sure that the resources are compliant with that control. Resources that are not compliant will not be provisioned. Proactive controls are implemented by means of AWS CloudFormation hooks, and they apply to resources that would be provisioned by AWS CloudFormation. The status of a proactive control is PASS, FAIL, or SKIP. For more information about AWS CloudFormation hooks, see Characteristics of hooks in the AWS CloudFormation documentation.

Implementation of control behavior

  • The preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations.

  • The detective controls are implemented using AWS Config rules.

  • The proactive controls are implemented using AWS CloudFormation hooks.

  • Certain mandatory controls are implemented by means of a single SCP that performs multiple actions, rather than as unique SCPs. Therefore, the same SCP is shown in the control reference, under each mandatory control to which that SCP applies.

  • The integrated, detective Security Hub controls are implemented using AWS Config rules, similarly to all Security Hub controls. These controls are owned by the Service-Managed Standard: AWS Control Tower, which is part of Security Hub.

Control guidance

AWS Control Tower provides three categories of guidance: mandatory, strongly recommended, and elective controls.

  • Mandatory controls are always enforced in your landing zone. You cannot turn them off for any OU.

  • Strongly recommended controls are designed to enforce some common best practices for well-architected, multi-account environments. These controls apply at the OU level, for all accounts in that OU.

  • Elective controls enable you to track or lock down actions that are commonly restricted in an AWS enterprise environment. These controls apply at the OU level, for all accounts in that OU.

Defaults: When you create a new landing zone, AWS Control Tower enables all mandatory controls by default and applies them to your top-level OUs. When you extend governance to an OU, AWS Control Tower applies mandatory controls to the OU by default. Strongly recommended and elective controls are not enabled by default.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.