# About controls in AWS Control Tower
A control is a high-level rule that provides ongoing governance for your overall AWS environment. It's expressed in plain language. AWS Control Tower implements *preventive*, *detective*, and *proactive* controls that help you govern your resources and monitor compliance across groups of AWS accounts.
A control applies to an entire organizational unit (OU), and every AWS account within the OU is affected by the control. Therefore, when users perform work in any AWS account in your landing zone, they're always subject to the controls that are governing their account's OU.
**Note**
We are transitioning our terminology to align better with industry usage and with other AWS services. During this time, you may see the previous term, *guardrail*, as well as the new term, *control*, in our documentation, console, blogs, and videos. These terms are synonymous for our purposes.
**The purpose of controls**
Controls assist you to express your policy intentions. For example, if you enable the detective control **Detect Whether Public Read Access to Amazon S3 Buckets is Allowed** on an OU, you can determine whether an entity (such as a user) would be permitted to have read access over the internet to any Amazon S3 buckets, for any accounts under that OU.
# About control relationships
Certain controls stand in specified relationships to each other. These relationships are defined as follows:
+ **Alternative**: One control can replace or substitute the other. Example: An AWS Config rule and a Security Hub CSPM control using the same underlying Config rule.
+ **Complementary**: The related controls work together to strengthen governance, each covering different aspects of security and compliance and enhancing the effectiveness of the other. Example: A Security Hub CSPM control and a proactive control that both check that an Amazon S3 bucket should have **Block public access** settings configured.
+ **Mutually Exclusive**: Controls cannot be enabled together on the same target or else either control fails in achieving the desired outcome. Example: Two proactive controls that enforce two incompatible features.
You can discover the control relationships in the AWS Control Tower console, or by calling the `ListControlMappings` API in Control Catalog. Here are some examples.
Find all related controls, request:
```
{
"Filter": {
"ControlArns": ["arn:aws:controlcatalog:::control/CONTROL_A_ARN"],
"MappingTypes": ["RELATED_CONTROL"]
}
}
```
Find all related controls, response:
```
{
"ControlMappings": [
{
"ControlArn": "arn:aws:controlcatalog:::control/CONTROL_A_ARN",
"MappingType": "RELATED_CONTROL",
"Mapping": {
"RelatedControl": {
"ControlArn": "arn:aws:controlcatalog:::control/CONTROL_B_ARN",
"RelationType": "ALTERNATIVE"
}
}
}, {
"ControlArn": "arn:aws:controlcatalog:::control/CONTROL_A_ARN",
"MappingType": "RELATED_CONTROL"
"Mapping": {
"RelatedControl": {
"ControlArn": "arn:aws:controlcatalog:::control/CONTROL_C_ARN",
"RelationType": "COMPLEMENTARY"
}
}
}
...
],
"NextToken": "..."
}
```
For more information, see [ListControlMappings](https://docs.aws.amazon.com/).
# Controls that have non-deployable Regions
This section lists controls that are not activated when deployed in certain Regions, due to lack of underlying dependencies. This section presents summary information about these non-deployable Regions, for quick reference. You can find the most updated information about the deployable Regions for any control by calling the `ListControls` and `GetControl` APIs. You also can view the deployable Regions in the AWS Control Tower console.
When you activate a control on an OU that's governed by AWS Control Tower, the control's effective area is the intersection of your governed Regions with the control's deployable Regions, with a few minor caveats related to occasional states of mixed governance.
For example, a control can be enabled on an OU that operates in governed Regions X, Y and Z. But after it is enabled, the same control is deployed only on Regions X and Z, because the control itself does not support Region Y.
It's important to monitor the relationships among controls that you deploy and Regions where you operate workloads, so that you don't experience gaps in protection of your AWS resources.
**How to check your protected Regions**
+ In the AWS Control Tower console, you can view the enabled controls and Regions in the **Enabled controls** section.
+ If you call the `GetEnabledControl` API, the **targetRegions** parameter will show only those Regions where you can deploy the control effectively not the non-deployable Regions..
# Control behavior and guidance
Controls are categorized according to their *behavior* and their *guidance*.
The *behavior* of each control is one of preventive, detective, or proactive. Control *guidance* refers to the recommended practice for how to apply each control to your OUs. The guidance of a control is independent of whether its behavior is preventive, detective, or proactive.
**Control behavior**
+ **Preventive** – A preventive control ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations. The status of a preventive control is either **enforced** or **not enabled**. Preventive controls are supported in all AWS Regions.
+ **Detective** – A detective control detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. The status of a detective control is either **clear**, **in violation**, or **not enabled**. Detective controls apply only in those AWS Regions supported by AWS Control Tower.
+ **Proactive** – A proactive control scans your resources before they are provisioned, and makes sure that the resources are compliant with that control. Resources that are not compliant will not be provisioned. Proactive controls are implemented by means of AWS CloudFormation hooks, and they apply to resources that would be provisioned by AWS CloudFormation. The status of a proactive control is PASS, FAIL, or SKIP. For more information about AWS CloudFormation hooks, see [Characteristics of hooks](https://docs.aws.amazon.com//cloudformation-cli/latest/userguide/hooks.html#hooks-characteristics) in the AWS CloudFormation documentation.
**Implementation of control behavior**
+ The preventive controls are implemented using Service Control Policies (SCPs), Resource Control Policies (RCPs), and declarative policies, which are part of AWS Organizations.
+ The detective controls are implemented using AWS Config rules.
+ The proactive controls are implemented using AWS CloudFormation hooks.
+ Certain mandatory controls are implemented by means of a single SCP that performs multiple actions, rather than as unique SCPs. Therefore, the same SCP is shown in the control reference, under each mandatory control to which that SCP applies.
+ The integrated, detective Security Hub controls are implemented using AWS Config rules, similarly to all Security Hub controls. These controls are owned by the **Service-Managed Standard: AWS Control Tower**, which is part of Security Hub.
+ The integrated AWS Config controls that are available in the control catalog are owned by AWS Config and implemented as Config rules, exactly as any other AWS Config controls.
**Control guidance**
AWS Control Tower provides three categories of guidance: *mandatory*, *strongly recommended*, and *elective* controls.
+ Mandatory controls are enforced in your landing zone depending on what you may have enabled in your environment. These controls protect AWS Control Tower-deployed resources.
+ Strongly recommended controls are designed to enforce some common best practices for well-architected, multi-account environments. These controls apply at the OU level, for all accounts in that OU.
+ Elective controls enable you to track or lock down actions that are commonly restricted in an AWS enterprise environment. These controls apply at the OU level, for all accounts in that OU.
**Starting with AWS Control Tower Landing Zone version 4.0, mandatory controls are no longer applied by default.**
# Considerations for controls and OUs
When working with controls and OUs, consider the following properties:
**Controls, landing zones, and OUs**
+ Mandatory controls are no longer enabled by default. Optional controls are applied at the discretion of administrators.
+ Controls can now be enabled on any OU within a customer's AWS Organization once they enable AWS Control Tower.
+ Regarding nested OUs, preventive controls enabled on any OUs higher in the tree will apply all OUs in the tree.
+ Detective controls can be applied to an OU that has either the ConfigBaseline enabled or the AWSControlTowerBaseline.
+ Hook controls can now be deployed into any OU. The hook will deploy the AWSServiceRoleForControlTower Service Linked Role (SLR), into the account and activate the opt-in regions.
For more information about how controls are applied to nested OUs, in AWS Control Tower, see [Nested Ous and controls](https://docs.aws.amazon.com//controltower/latest/userguide/nested-ous.html#nested-ous-and-controls).
## Exception to controls for the management account
The root user and any administrators in the management account can perform work that controls would otherwise deny. This exception is intentional. It prevents the management account from entering into an unusable state. All actions taken within the management account continue to be tracked in the logs contained within the log archive account, for purposes of accountability and auditing.
# Exception to controls for the Security OU
For customers on LZ v4.0:
There is no longer a Security OU managed by AWS Control Tower so restrictions below do not apply.
For existing customers on LZ v3.3 and below:
AWS Control Tower deploys and manages resources in the Security OU, which are required so that AWS Control Tower can function properly. You can deploy certain preventive controls (SCP-based) and detective controls (based on AWS Config rules) to this OU. Most controls cannot be enabled for this OU.
**Controls that cannot be deployed to the Security OU**
+ You cannot deploy proactive controls to the Security OU.
+ You cannot deploy Security Hub controls to the Security OU.
+ You cannot deploy RCP-based controls to the Security OU.
+ You cannot deploy declarative policies to the Security OU.
+ Certain SCP-based controls cannot be deployed to the Security OU.
**Controls that are deployable to the Security OU**
+ All controls implemented by AWS Config rules
+ AWS-GR\$1AUDIT\$1BUCKET\$1DELETION\$1PROHIBITED (Mandatory)
+ AWS-GR\$1AUDIT\$1BUCKET\$1ENCRYPTION\$1ENABLED
+ AWS-GR\$1AUDIT\$1BUCKET\$1LOGGING\$1ENABLED
+ AWS-GR\$1AUDIT\$1BUCKET\$1POLICY\$1CHANGES\$1PROHIBITED (Mandatory)
+ AWS-GR\$1AUDIT\$1BUCKET\$1RETENTION\$1POLICY
+ AWS-GR\$1CLOUDTRAIL\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CLOUDTRAIL\$1CLOUDWATCH\$1LOGS\$1ENABLED
+ AWS-GR\$1CLOUDTRAIL\$1ENABLED
+ AWS-GR\$1CLOUDTRAIL\$1VALIDATION\$1ENABLED
+ AWS-GR\$1CLOUDWATCH\$1EVENTS\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CONFIG\$1AGGREGATION\$1AUTHORIZATION\$1POLICY
+ AWS-GR\$1CONFIG\$1AGGREGATION\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CONFIG\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CONFIG\$1ENABLED
+ AWS-GR\$1CONFIG\$1RULE\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1ENCRYPTION\$1CHANGES\$1PROHIBITED (Mandatory)
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1LIFECYCLE\$1CONFIGURATION\$1CHANGES\$1PROHIBITED (Mandatory)
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1LOGGING\$1CONFIGURATION\$1CHANGES\$1PROHIBITED (Mandatory)
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1POLICY\$1CHANGES\$1PROHIBITED
+ AWS-GR\$1DISALLOW\$1CROSS\$1REGION\$1NETWORKING
+ AWS-GR\$1DISALLOW\$1VPC\$1INTERNET\$1ACCESS
+ AWS-GR\$1DISALLOW\$1VPN\$1CONNECTIONS
+ AWS-GR\$1IAM\$1ROLE\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1LAMBDA\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1LOG\$1GROUP\$1POLICY
+ AWS-GR\$1REGION\$1DENY
+ AWS-GR\$1RESTRICT\$1ROOT\$1USER
+ AWS-GR\$1RESTRICT\$1ROOT\$1USER\$1ACCESS\$1KEYS
+ AWS-GR\$1RESTRICT\$1S3\$1CROSS\$1REGION\$1REPLICATION
+ AWS-GR\$1RESTRICT\$1S3\$1DELETE\$1WITHOUT\$1MFA
+ AWS-GR\$1SNS\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1SNS\$1SUBSCRIPTION\$1CHANGE\$1PROHIBITED
+ CT.BACKUP.PV.1
+ CT.BACKUP.PV.2
+ CT.BACKUP.PV.3
+ CT.CLOUDFORMATION.PR.1
+ CT.IAM.PV.1
+ CT.S3.PV.1
+ CT.S3.PV.7
+ CT.S3.PV.8
+ CT.SNS.PV.1
# Considerations for controls and accounts
When working with controls and accounts, consider the following properties:
**Controls and accounts**
+ Accounts created through the Account Factory in AWS Control Tower inherit the controls of the parent OU, and the associated resources are created.
+ When you enable optional controls, AWS Control Tower creates and manages certain additional AWS resources in your accounts. Do not modify or delete resources created by AWS Control Tower . Doing so could result in the controls entering an unknown state. For more information, see [The AWS Control Tower controls library](https://docs.aws.amazon.com//controltower/latest/controlreference/controls-reference.html).
# About common controls
This page provides an overview and a partial list of the common controls available for the Control Catalog. You can get a complete list of common controls by calling the [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListCommonControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListCommonControls.html) API.
**Common controls in the ontology**
+ In the [https://docs.aws.amazon.com//controlcatalog/latest/userguide/ontology-overview.html](https://docs.aws.amazon.com//controlcatalog/latest/userguide/ontology-overview.html), a *common control* conceptually expresses a single constraint or outcome that controls can help you to accomplish.
+ In the hierarchy of the ontology, each common control has a single [https://docs.aws.amazon.com//controltower/latest/controlreference/control-catalog-objectives.html](https://docs.aws.amazon.com//controltower/latest/controlreference/control-catalog-objectives.html).
A common control is more granular than a control objective, but the common control is not limited to any particular implementation. In fact, a common control can be implemented in several different ways, by individual controls, that you can view and enable. Hierarchically, a common control is the parent of certain individual controls that you see in the Control Catalog.
Because common controls are free of implementation, they do not have a defined **Behavior** or **Guidance**. A common control may be implemented by various preventive, detective, or proactive controls, or a combination of these. Common controls cannot actually be enabled, only the implementations can be enabled.
**Common controls and industry frameworks**
Each common control can be mapped to several industry frameworks, because that common control can help you meet specific framework requirements. In the Control Catalog ontology, an industry framework is represented by the term *Standard control*, because the standard control represents a specific requirement of an industry standard.
**Note**
In the AWS Control Tower console, the field called **Frameworks** on the **Control detail** page shows the frameworks that are related to the control.
**View common controls **
You can view each common control on a page in the console, and see a list of specific controls that implement the common control's functionality.
In the AWS Control Tower console, you can view the **Common control** field on the **Control details** page of a control. Each implemented control has a parent common control.
You can find the common control that is related to any specific control programmatically, by calling the `GetControl` or `ListControls` API.
**Examples of common controls**
+ Log aggregation
+ Secure development environment
+ Network topology design and review
+ Asset retirement and disposition
+ Data backup procedures
+ Evidence preservation procedures and chain of custody
+ Security metrics
+ Guest and limited access wireless netwok management
+ Asset labeling
+ Security cameras
+ Vendor incident management
+ Data error checking and correction
+ Secure encryption protocols
+ Log protection and integrity
+ Collaboration and communication
+ External vulnerability scanning
+ Patch testing and approval
+ Access request and approval workflows
+ Rollback and recovery procedures
+ Security testing
# Control catalog: control objectives
This document gives details about the control objectives from the AWS Control Tower Control Catalog.
**Control Catalog: control objectives**
| **Number** | **Objective** | **Explanation** |
| --- | --- | --- |
| 1 | Asset inventory management | This control objective focuses on maintaining an accurate and up-to-date inventory of assets, including hardware, software, and data, to protect organization investments from harm or loss. |
| 2 | Asset classification | This control objective focuses on classifying assets based on their value, sensitivity, and criticality to the organization to manage investment risk and unauthorized access to assets and information. |
| 3 | Asset maintenance | This control objective focuses on maintaining the availability and integrity of assets, including performance management, regular maintenance, and repairs to protect and extract the maximum value of the organization's IT investments. |
| 4 | Asset lifecycle management | This control objective focuses on managing assets throughout their entire lifecycle, including acquisition, deployment, use, and retirement. This helps manage risks associated with asset costs by ensuring optimum asset productivity, performance, efficiency, and profitability. |
| 5 | Asset loss prevention, response, and recovery | This control objective focuses on preventing asset loss, and responding to and recovering lost, stolen, or damaged assets to contribute to the organization's profitability by reducing losses. |
| 6 | Business continuity | This control objective focuses on developing and maintaining plans, procedures, and protocols that support an organization's ability to recover critical business functions in the event of a disruption, including backup and recovery and business impact analysis. |
| 7 | Disaster recovery | This control objective focuses on the steps and technologies necessary to recover critical information resources in the event of a natural disaster, security event and/or incident, and/or system outage and ensure critical business functions can continue. |
| 8 | Crisis and emergency management | This control objective focuses on the development and maintenance of plans and procedures to mitigate the effects of and recover from a crisis or emergency, and ensure that critical business functions can continue. |
| 9 | Data classification and handling | This control objective focuses on the classification of data based on its sensitivity and implementation of appropriate controls for handling and protecting data based on its classification. This includes data handling procedures, access controls, and data loss prevention (DLP) solutions to minimize the risk of data loss, corruption, or compromise. |
| 10 | Data integrity | This control objective focuses on data integrity, such as data validation, checksum verification, and digital signing, to ensure data is reliable and traceable to origin. |
| 11 | Data retention and disposal | This control objective focuses on the implementation of policies for retaining and disposing of data in a secure and compliant manner. This includes securely deleting data from storage devices, wiping data from devices before disposal, and establishing retention periods for different types of data. |
| 12 | Data backup and recovery | This control objective focuses on the implementation of backup and recovery procedures to ensure that data can be restored in the event of a data loss incident. This includes regular backups, offsite storage, and testing of backup and recovery procedures. |
| 13 | Data encryption | This control objective focuses on the use of encryption to protect data both in transit and at rest minimize the risk of data loss, corruption, or compromise. This includes using encryption for email, file transfer, and storage encryption. |
| 14 | Cryptographic key management | This control objective focuses on processes for managing cryptographic keys throughout their lifecycle, from creation to destruction, to minimize the risk of data loss, corruption, or compromise. |
| 15 | Data anonymization, tokenization, masking, and redaction | This control objective focuses on data anonymization, tokenization, masking, and redaction to protect sensitive data to minimize the risk of unauthorized access to data, and data loss, corruption, or compromise. This includes truncating and replacing sensitive information with realistic data, but fictitious data or tokens to represent sensitive data for other purposes, such as data analytics. |
| 16 | Identity management | This control objective focuses on the management of digital identities, including the creation, maintenance, verification, and retirement of user accounts, enforcement of authentication and authorization policies, and use of federated identities to reduce the risk of unauthorized access to resources and data. |
| 17 | Authentication and access control | This control objective focuses on user and system authentication, password management policies, privileged account management, and access controls restrictions. |
| 18 | Identity governance and administration (IGA) | This control objective focuses on the policies, procedures, and technologies used to manage user identities and access entitlements throughout their lifecycle. |
| 19 | Incident response planning | This control objective focuses on developing and maintaining incident response plans, assimilating an incident response team, defining roles and responsibilities, and conducting incident response training and exercises. This enables the organization to act quickly and respond efficiently in the event of a threat. |
| 20 | Incident containment and mitigation | This control objective focuses on containing and limiting the impact of security incidents, and mitigating the root cause of an incident to prevent further damage to the organization and assets. |
| 21 | Incident investigation and response | This control objective focuses on investigating security incidents, including preserving and analyzing evidence, conducting interviews, performing root cause analysis, and implementing remediation measures. This enables organizations to take corrective actions to prevent recurrence and demonstrates the organization's commitment to protect the well-being of people. |
| 22 | Incident reporting and communication | This control objective focuses on reporting potential security incidents to appropriate security personnel and communicating security incidents to relevant stakeholders to improve risk management, take necessary response actions, and track incident progress to help determine business impacts. |
| 23 | Incident metrics and continuous improvement | This control objective focuses on measuring and tracking incident management performance, such as incident response times, incident resolution rates, and root cause analysis outcomes |
| 24 | Privacy Laws | This control objective focuses on regulations and laws to protect individuals' personal data from unauthorized access, misuse, or disclosure. The intent is to ensure that entities collecting or processing such data do so responsibly, transparently, and with the individual's knowledge and consent, thereby safeguarding an individual's right to privacy and trust in the digital ecosystem. |
| 25 | Log generation and integrity | This control objective focuses on log generation, including security logs and audit trails, to record activity and reduce fraud, errors, and unauthorized use within the organization's compute environment. This includes ensuring log integrity and confidentiality remain intact from the point of generation. |
| 26 | Log retention | This control objective focuses on retaining and archiving log data for a specified period of time to meet regulatory requirements and support incident response and forensic investigations. |
| 27 | Log aggregation and analysis | This control objective focuses on real-time monitoring of logs and events. This involves aggregating, normalizing, correlating, analyzing, and reviewing log data, including security events, audit trails, and user activity, from multiple sources to identify security events or patterns that may indicate an ongoing or emerging threat. |
| 28 | Alerting and Notification | This control objective focuses on generating alerts and notifications to relevant parties of potential security incidents or risks based on log monitoring and analysis results. |
| 29 | Log monitoring and event management tools | This control objective focuses on selecting, implementing, and maintaining log monitoring and event management tools and technologies to support real-time log analysis, retention, and protection. This supports timely response to anomalous activity and security events reducing the risk of undetected or unknown threats to the organization. |
| 30 | Network architecture and secure configuration | This control objective focuses on network architecture, design, and secure configurations network devices or services, including routing switching, and firewall solutions to prevent malicious and unnecessary content from entering the environment. |
| 31 | Network monitoring | This control objective focuses on monitoring and analyzing network traffic, including intrusion detection and prevention and network flow analysis to identify and respond to potential threat quickly before they escalate into a serious security incident. |
| 32 | Wireless network security | This control objective focuses on management of wireless network access, including secure configuration and encryption. |
| 33 | Network filtering | This control objective focuses on filtering and inspecting network traffic for unwanted or malicious content to reduce the risk of unauthorized data exfiltration, spread of malware, and impact of compromised systems to other resources. |
| 34 | Physical security management | This control objective focuses on the organization's ability to ensure the physical security of corporate facilities, data centers, and other locations to prevent or reduce threats to people, information, and assets that may cause damage or loss. This includes surveillance and physical access management processes and systems. |
| 35 | Environmental protection controls | This control objective focuses on securing the physical environment of assets, such as temperature and humidity controls, fire suppression systems, water detection mechanisms, and redundant power supply, to prevent or reduce threats to people, information, and assets that may cause damage or loss. |
| 36 | Vulnerability scanning and remediation | This control objective focuses on scanning systems and applications to identify and remediate known vulnerabilities to reduce the risk of attack and exploitations. |
| 37 | IT risk assessment and management | This control objective focuses on identifying, assessing, prioritizing, reporting, and responding to risks, and implementing risk mitigation strategies to reduce risks to acceptable levels based on defined risk tolerance. |
| 38 | Vulnerability assessments and prioritization | This control objective focuses on processes for determining the severity of risks, threats, and vulnerabilities and prioritizing them for remediation based on the level of risk they pose to reduce chances of attack and exploitations. |
| 39 | Continuous vulnerability monitoring | This control objective focuses on continuously monitoring and actively searching for vulnerabilities and threats to detect vulnerabilities in real-time enabling faster response and containment of a security incident to reduce risk of escalation. |
| 40 | Threat intelligence | This control objective focuses on gathering and analyzing information on current and emerging threats to proactively identify vulnerabilities and potential attack vectors, and reduce the risk of security incidents. |
| 41 | Vulnerability reporting and metrics | This control objective focuses on determining and reporting on key performance indicators (KPIs) and metrics to measure the effectiveness of threat and vulnerability management processes and communicate risk to stakeholders. |
| 42 | Offensive security | This control objective focuses on actively identifying and exploiting vulnerabilities in computer systems and networks to assess their security posture and develop strategies to improve their overall security to reduce the risk of exploitation and attack. |
| 43 | Malware protection | This control objective focuses on preventing, detecting, and remediating malware infections on systems and networks to reduce the risk of attack and exploitation. |
| 44 | Development lifecycle processes | This control objective focuses on the software development lifecycle processes, such as requirements gathering, design, coding, deployment, and maintencence of code to reduce the risk of introducing vulnerabilities or insecure code into production environments. |
| 45 | Code reviews and testing | This control objective focuses on testing and reviewing code to ensure that it meets the requirements and is securely developed to reduce the risk of introducing vulnerabilities or insecure code in to production environments. |
| 46 | Secure configuration management | This control objective focuses on maintaining secure configurations of systems and software, and managing configuration drift, to reduce the risk of performance issues, inconsistencies, errors and compliance issues that can lead to compromise and unintended data exposure. |
| 47 | Patch management | This control objective focuses on maintaining system and software security and functionality by ensuring that patches and updates are applied in a timely and effective manner to reduce the risk of cyberattacks and compromise. |
| 48 | Change management | This control objective focuses on managing changes to the software, including testing, approval, and implementation to minimize disruption, reduce costly back-out activities, and provide clear communication of changes to stakeholders. |
| 49 | DevOps | This control objective focuses on integrating development and operations teams to ensure the rapid and secure deployments, accelerated innovation, and reduced failure rates and recovery times. |
| 50 | Compliance management | This control objective focuses on establishing and enforcing policies, procedures, and controls that adhere to applicable regulatory security and compliance requirements and industry best practices that ensure operational accountability with organizational obligations that govern the business. |
| 51 | Security governance & program management | This control objective focuses on establishing the set of practices, policies, and procedures that guide an organization's approach to information security to ensure alignment with the organization's business goals and objectives to protect the organization's assets from unauthorized access, use, disclosure, modification, or destruction. This involves establishment of a consistent and structured information security program and strategy that supports employee awareness and acknowledgement of security policies outlining employee responsibilities for complying with organizational governance. |
| 52 | Security awareness | This control objective focuses on security awareness for individuals within an organization by providing training, knowledge, understanding, and behavioral awareness related to security risks and best practices, with the goal of preventing security incidents and improving overall security posture. |
| 53 | Vendor selection | This control objective focuses on the organization establishing risk-based evaluation criteria, due diligence procedures, and contractual clauses for third party vendor, supplier, and service provider selection to identify and prepare for vendor risks, and avoid disruption to business performance. |
| 54 | Vendor management | This control objective focuses on assessing and managing third party risks, monitoring and reviewing third party activities, and managing third party security incidents to identify vendor risks and reduce potential for business disruption or negative impact on business performance. Third-parties include vendors, suppliers, and service providers. |
**Note**
This data was generated from Control Catalog using the command: `aws controlcatalog list-objectives`
# Legacy control objectives
**Warning**
This page will be removed in a future release.
These control objectives were the original objectives for AWS Control Tower controls. As AWS Control Tower has expanded to include more indistry frameworks, we have expanded the list of objectives. This list is available as historical guidance, to help you make the transition to newer controls and API implementations.
Sometimes controls must be applied in a group so that the control objective is enforced. Information about related controls is viewable in the AWS Control Tower console, on the **Control details** page.
**Legacy control objectives**
For more information about controls, see [https://docs.aws.amazon.com//controltower/latest/controlreference/controls-reference.html](https://docs.aws.amazon.com//controltower/latest/controlreference/controls-reference.html). To retrieve the most up-to-date list of new control objectives, call the [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListObjectives.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListObjectives.html) API from the *controlcatalog* namespace of AWS Control Tower.
+ **CO.1** Establish logging and monitoring
+ **CO.2** Encrypt data at rest
+ **CO.3** Encrypt data in transit
+ **CO.4** Protect data integrity
+ **CO.5** Enforce least privilege
+ **CO.6** Limit network access
+ **CO.7** Optimize costs
+ **CO.8** Improve resiliency
+ **CO.9** Improve availability
+ **CO.10** Protect configurations
+ **CO.11** Prepare for incident response
+ **CO.12** Manage vulnerabilities
+ **CO.13** Manage secrets
+ **CO.14** Prepare for disaster recovery
+ **CO.15** Use strong authentication
# Frameworks supported
The controls available in Control Catalog support several industry frameworks.
+ ACSC-Essential-Eight-Nov-2022
+ ACSC-ISM-02-Mar-2023
+ AWS-WAF-v10
+ CCCS-Medium-Cloud-Control-May-2019
+ CIS-AWS-Benchmark-v1.2
+ CIS-AWS-Benchmark-v1.3
+ CIS-AWS-Benchmark-v1.4
+ CIS-v7.1
+ CIS-v8.0
+ FedRAMP-r4
+ ISO-IEC-27001:2013-Annex-A
+ NIST-CSF-v1.1
+ NIST-SP-800-171-r2
+ NIST-SP-800-53-r5
+ PCI-DSS-v3.2.1
+ PCI-DSS-v4.0
+ SSAE-18-SOC-2-Oct-2023
For more information, see the Control Catalog [Ontology overview](https://docs.aws.amazon.com//controlcatalog/latest/userguide/ontology-overview.html).
# View control details
You can view control details in the AWS Control Tower console or retrieve them programmatically using [Control Catalog APIs](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/Welcome.html).
## Access control metadata in the console
To view details about an individual control in the AWS Control Tower console, select the name of the control from the table on the **Controls** page. On the console page for the control, you may see metadata items such as **Categories**: Common controls, Frameworks, Services, and Groups. Select each item to get more information about the control. You can find additional information in the tabs: **About**, **OUs enabled**, and **Accounts**.
For each control, the global **API controlIdentifier** is available in the console, along with the framework and objective.
In each **Control details** page of the console, you can find the following details for each control:
+ **Name** – The name of the control.
+ **Common control (formerly, Control objective)** – The pre-defined objective that an implemented control helps you enforce. See [Control catalog: control objectives](control-catalog-objectives.md) and [About common controls](https://docs.aws.amazon.com/controltower/latest/controlreference/common-controls-list.html).
+ **Service** – The AWS service to which this control applies.
+ **Control owner** – The AWS service that owns and maintains this control.
+ **Behavior** – A control's behavior is set to preventive, detective, or proactive.
+ **Implementation** – The underlying implementation method for this control, such as SCP, AWS Config managed rule, or CloudFormation hook.
+ **GovernedResources** – The AWS resources that are monitored or affected by this control. This field can show an AWS service name, or an CloudFormation ARN. It can be blank if there's no CloudFormation ARN to represent the resource, or if the control governs resources across several AWS services (for example, the Region Deny control).
+ **Framework** – The industry-standard compliance framework that this control helps to enforce, for example, **NIST 800-53 Rev 5**.
+ **Control ID (Alias)** – A unique identifier assigned to each control. This identifier is part of a classification system for the controls.
+ **API controlIdentifier** – This identifier is needed when calling the AWS Control Tower APIs.
+ **Group** – A label for a group of controls with similar purpose, such as helping you create Digital Sovereignty.
+ **Guidance** – The guidance is either mandatory, strongly recommended, or elective.
+ **Severity** – The relative risk associated with any violation of this control.
+ **Release date** –The date the control became available.
+ **Deployable Regions** – Regions in which the control is available to be deployed.
**Note**
The control **State** and status information is available in the console only. It is not available from the [public API](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html). To view the status of a control, navigate to the **Control details** page in the AWS Control Tower console.
**Open the tabs**
+ In the **About** tab, you can view the relationship of the control with other controls. We provide recommendations about how certain controls can work together with other controls to provide best security for your AWS environment.
+ The **OUs enabled** tab shows a list of OUs on which the control is actively enabled.
The status of the Region deny control is shown as a separate entry.
Other information may appear on the **Control details** page, including these items:
+ **Description** – A brief description of the control and its function.
+ **Remediation message** – Suggestions for what to change if your CloudFormation hook control returns a FAIL status.
+ **Remediation samples ** – Examples showing configurations that can return a PASS or FAIL result for your CloudFormation hook control.
+ **Usage considerations** – Additional information about how to apply this control or about the resources it can affect.
+ The **Gherkin** artifact – The Gherkin is a readable specification for the CloudFormation hook controls, showing requirements for tests that cause PASS, FAIL, or SKIP results to be returned.
**To view a control artifact**
Each control is implemented by one or more artifacts. These artifacts can include a baseline CloudFormation template, a service control policy (SCP) to prevent account-level configuration changes or activity that may create configuration drift, and AWS Config Rules to detect account-level policy violations.
To view a control's artifact, select the **Artifact** tab to view the **Service control policy (SCP)**, **AWS Config rule**, or **CloudFormation policy template** on the **Control details** page.
**Note**
The four mandatory controls with `"Sid": "GRCLOUDTRAILENABLED"` are identical by design. The sample code is correct.
## Access control metadata programmatically
Control metadata is available through Control Catalog APIs. For information about control identifiers, see [Resource identifiers for APIs and controls](control-identifiers.md).
To list all controls, use the [ListControls API](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html). For example:
```
aws controlcatalog list-controls --max-result 2 --region us-east-1
```
To retrieve detailed metadata for a specific control, use the [GetControl API](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_GetControl.html). For example:
```
aws controlcatalog get-control --control-arn arn:aws:controlcatalog:::control/4b0nsxnd47747up54ytdqesxi --region us-east-1
```
For more information, see the [Control Catalog API Reference](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/Welcome.html).
# View enabled controls
To view your enabled controls in the AWS Control Tower console, navigate to the **Enabled Controls** page by selecting it from the left navigation pane.
You also can view your enabled controls programmatically, by calling the [https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListEnabledControls.html](https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListEnabledControls.html) API.