# Controls implemented with declarative policies
This section provides information about AWS Control Tower controls that are implemented by *declarative policies* from AWS Organizations. These are *preventive* controls. For more information about how declarative policies work as preventive controls in AWS Control Tower, see [Declarative policies](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_declarative.html) in the AWS Organizations documentation.
Declarative policies help you define and enforce your required configuration for specified AWS services, across your entire organization, at the OU level. When a declarative policy is applied, the configuration is maintained continuously.
Declarative policies are enforced in each AWS service's control plane, which is an important distinction from controls implemented by service control policies (SCPs). While SCPs regulate access to APIs, declarative policies are applied directly at the service level. This approach ensures that the specified configuration is enforced, even when new features or APIs are introduced by the service.
**Available controls**
**Topics**
+ [
# [CT.EC2.PV.7] Disallow all public sharing of Amazon EBS snapshots
](ct-ec2-pv-7.md)
+ [
# [CT.EC2.PV.8] Disallow inbound and outbound internet connections to your VPCs through an internet gateway (IGW) or egress-only internet gateway (EIGW)
](ct-ec2-pv-8.md)
+ [
# [CT.EC2.PV.9] Disallow access to the EC2 serial console for all EC2 instances
](ct-ec2-pv-9.md)
+ [
# [CT.EC2.PV.11] Disallow public sharing of Amazon Machine Images (AMIs)
](ct-ec2-pv-11.md)
# [CT.EC2.PV.7] Disallow all public sharing of Amazon EBS snapshots
This control blocks the public sharing of your Amazon EBS snapshots by configuring block public access for Amazon EBS snapshot settings at an account level. This setting has the effect of preventing all public sharing of your EBS snapshots, so that snapshots that previously were publicly shared are treated as private, and are no longer publicly available.
This is a preventive control with elective guidance, based on declarative policies. By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs.
**AWS service: **Amazon EC2
**Control metadata**
+ **Control objective: **Enforce least privilege
+ **Implementation: **Declarative policy for EC2
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Resource types: **`AWS::::Account`
**Usage considerations**
Enabling this control does not change the permissions for snapshots that are publicly shared already. Instead, it prevents snapshots from being publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available. If you later disable this control or adopt the related control to block new sharing in place of this control, these snapshots will become publicly available again.
Enabling this control on an AWS account means that users in the account can no longer request new public sharing of EBS snapshots.
This control includes an AWS Organizations inheritance operator for each policy setting that applies to child policies (`@@operators_allowed_for_child_policies` with a value of `@@all`). This operator allows you to add to, negate, or override each policy setting in this control, when it is applied to child OUs and accounts, by using the AWS Organizations declarative policy syntax. For more information on policy inheritance for AWS Organizations policies, see [ Inheritance operators](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) in the *AWS Organizations User Guide*.
The artifact for this control is the following declarative policy.
```
{
"ec2_attributes": {
"snapshot_block_public_access": {
"state": {
"@@assign": "block_all_sharing",
"@@operators_allowed_for_child_policies": ["@@all"]
}
}
}
}
```
# [CT.EC2.PV.8] Disallow inbound and outbound internet connections to your VPCs through an internet gateway (IGW) or egress-only internet gateway (EIGW)
This control blocks direct ingress and egress traffic from the internet to your VPCs through an IGW or EIGW, by configuring block public access for VPCs (VPC BPA) at an account level. This control also disallows configuration of any VPC BPA exclusions, which means that if you enable it, you cannot exclude VPCs or subnets from the effects of this control.
This is a preventive control with elective guidance, based on declarative policies. By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs.
**AWS service: **Amazon EC2
**Control metadata**
+ **Control objective: **Limit network access
+ **Implementation: **Declarative policy for EC2
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Resource types: **`AWS::::Account`
**Usage considerations**
This control does not block traffic to your VPC when the traffic originates from locations other than an internet gateway or an egress-only internet gateway, such as traffic from a peered VPC or other VPC attached gateway (for example, an AWS Transit Gateway network gateway or virtual private gateway). Traffic from these locations may have a public network origin; therefore, AWS Control Tower recommends using EC2 security groups to set least-privilege network access controls, and to ensure that only the required network connections are allowed.
This control does not affect inbound traffic from serverless services, such as API Gateway and Lambda, in your VPCs (for example, traffic that arrives by means of Elastic network interfaces or API Gateway private integration). However, VPC BPA will block traffic to or from these services, if that traffic occurs through an IGW or EIGW, in a governed VPC.
This control governs Amazon EC2 VPC block public access settings that are configured by means of EC2 `ModifyVpcBlockPublicAccessOptions`, `CreateVpcBlockPublicAccessExclusion`, and `ModifyVpcBlockPublicAccessExclusion` operations. If you apply this control, you cannot use these operations to modify these settings within an enrolled AWS account.
For an overview of VPC connectivity options and recommendations for creating scalable and secure network architectures, see [Building a Scalable and Secure Multi-VPC AWS Network Infrastructure](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/welcome.html) in the *Building a Scalable and Secure Multi-VPC AWS Network Infrastructure - AWS Whitepaper*.
This control includes an AWS Organizations inheritance operator for each policy setting that applies to child policies (`@@operators_allowed_for_child_policies` with a value of `@@all`). This operator allows you to add to, negate, or override each policy setting in this control, when it is applied to child OUs and accounts, by using the AWS Organizations declarative policy syntax. For more information on policy inheritance for AWS Organizations policies, see [ Inheritance operators](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) in the *AWS Organizations User Guide*.
The artifact for this control is the following declarative policy.
```
{
"ec2_attributes": {
"vpc_block_public_access": {
"internet_gateway_block": {
"mode": {
"@@assign": "block_bidirectional",
"@@operators_allowed_for_child_policies": ["@@all"]
},
"exclusions_allowed": {
"@@assign": "disabled",
"@@operators_allowed_for_child_policies": ["@@all"]
}
}
}
}
}
```
# [CT.EC2.PV.9] Disallow access to the EC2 serial console for all EC2 instances
This control prevents access to the Amazon EC2 serial console of all EC2 instances for your account.
This is a preventive control with elective guidance, based on declarative policies. By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs.
**AWS service: **Amazon EC2
**Control metadata**
+ **Control objective: **Limit network access
+ **Implementation: **Declarative policy for EC2
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Resource types: **`AWS::::Account`
**Usage considerations**
With the EC2 serial console, you have access to your Amazon EC2 instance's serial port, which you can use to troubleshoot boot, network configuration, and other issues. If you require EC2 serial console access, do not enable this control.
This control governs Amazon EC2 Serial Console for instance settings that are configured by means of EC2 `EnableSerialConsoleAccess` and `DisableSerialConsoleAccess` operations. If you apply this control, you cannot use these operations to modify these settings within an enrolled AWS account.
This control includes an AWS Organizations inheritance operator for each policy setting that applies to child policies (`@@operators_allowed_for_child_policies` with a value of `@@all`). This operator allows you to add to, negate, or override each policy setting in this control, when it is applied to child OUs and accounts, by using the AWS Organizations declarative policy syntax. For more information on policy inheritance for AWS Organizations policies, see [ Inheritance operators](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) in the *AWS Organizations User Guide*.
The artifact for this control is the following declarative policy.
```
{
"ec2_attributes": {
"serial_console_access": {
"status": {
"@@assign": "disabled",
"@@operators_allowed_for_child_policies": ["@@all"]
}
}
}
}
```
# [CT.EC2.PV.11] Disallow public sharing of Amazon Machine Images (AMIs)
This control prevents the public sharing of your AMIs by configuring block public access for AMIs at an account level. If you already have public AMIs, they remain publicly available.
This is a preventive control with elective guidance, based on declarative policies. By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs.
**AWS service: **Amazon EC2
**Control metadata**
+ **Control objective: **Enforce least privilege
+ **Implementation: **Declarative policy for EC2
+ **Control behavior: **Preventive
+ **Control owner: **AWS Control Tower
+ **Resource types: **`AWS::::Account`
**Usage considerations**
This control disallows new public sharing of AMIs. It does not restrict access to AMIs that have been shared publicly before this control was enabled.
This control governs Amazon EC2 AMI Block Public Access (BPA) settings that are configured by means of EC2 `EnableImageBlockPublicAccess` and `DisableImageBlockPublicAccess` operations. If you apply this control, you cannot use these operations to modify these settings within an enrolled AWS account.
This control includes an AWS Organizations inheritance operator for each policy setting that applies to child policies (`@@operators_allowed_for_child_policies` with a value of `@@all`). This operator allows you to add to, negate, or override each policy setting in this control, when it is applied to child OUs and accounts, by using the AWS Organizations declarative policy syntax. For more information on policy inheritance for AWS Organizations policies, see [ Inheritance operators](https://docs.aws.amazon.com/organizations/latest/userguide/policy-operators.html) in the *AWS Organizations User Guide*.
The artifact for this control is the following declarative policy.
```
{
"ec2_attributes": {
"image_block_public_access": {
"state": {
"@@assign": "block_new_sharing",
"@@operators_allowed_for_child_policies": ["@@all"]
}
}
}
}
```