Control limitations

AWS Control Tower assists you with maintaining a secure, multi-account environment on AWS by means of controls, which are implemented in various forms, such as service control policies (SCPs), AWS Config rules, and AWS CloudFormation hooks.

The Controls Reference Guide

Detailed information about AWS Control Tower controls has been moved to the AWS Control Tower Controls Reference Guide.

If you modify AWS Control Tower resources, such as an SCP, or remove any AWS Config resource, such as a Config recorder or aggregator, AWS Control Tower can no longer guarantee that the controls are functioning as designed. Therefore, the security of your multi-account environment may be compromised. The AWS shared responsibility model of security is applicable to any such changes you may make.

Note

AWS Control Tower helps maintain the integrity of your environment by resetting the SCPs of the preventive controls to their standard configuration when you update your landing zone. Changes that you may have made to SCPs are replaced by the standard version of the control, by design.

Limitations by Region

Some controls in AWS Control Tower do not operate in certain AWS Regions where AWS Control Tower is available, because those Regions do not support the required underlying functionality. As a result, when you deploy that control, it may not be operating in all Regions that you govern with AWS Control Tower. This limitation affects certain detective controls, certain proactive controls, and certain controls in the Security Hub Service-managed Standard: AWS Control Tower. For more information about Regional availability, see the Security Hub controls. Also see the Regional services list documentation and the Security Hub controls reference documentation.

Control behavior also is limited in case of mixed governance. For more information, see Avoid mixed governance when configuring Regions.

For more information about how AWS Control Tower manages the limitations of Regions and controls, see Considerations for activating AWS opt-in Regions.

Note

For the most updated information about controls and Region support, we recommend that you call the GetControl and ListControls API operations.

Find available controls and Regions

You can view the available Regions for each control in the AWS Control Tower console. You can view the available Regions programmatically with the GetControl and ListControls APIs from AWS Control Catalog.

Also see the reference table of AWS Control Tower controls and supported Regions, Control availability by Region, in the AWS Control Tower Controls Reference Guide.

For information about AWS Security Hub controls from the Service-Managed Standard: AWS Control Tower that are not supported in certain AWS Regions, see "Unsupported Regions" in the Security Hub standard.

The following table shows specific proactive controls that are not supported in certain AWS Regions.

Control identifier	Non-deployable Regions
`CT.DAX.PR.2`	ap-southeast-5, ca-west-1, us-west-1
`CT.REDSHIFT.PR.5`	ap-south-2, ap-southeast-3, ap-southeast-4, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1

The following table shows AWS Control Tower detective controls that are not supported in certain AWS Regions.

Control identifier	Non-deployable regions
`API_GW_CACHE_ENABLED_AND_ENCRYPTED`	ap-southeast-5, ca-west-1
`APPSYNC_ASSOCIATED_WITH_WAF`	af-south-1, ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`AUTOSCALING_CAPACITY_REBALANCING`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED`	ap-northeast-3, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, il-central-1
`AWS-GR_DMS_REPLICATION_NOT_PUBLIC`	af-south-1, ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1
`AWS-GR_EBS_OPTIMIZED_INSTANCE`	ap-southeast-5, ca-west-1
`AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK`	eu-south-2
`AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP`	ap-northeast-3
`AWS-GR_EC2_VOLUME_INUSE_CHECK`	ap-southeast-5, ca-west-1
`AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS`	ap-southeast-5, ca-west-1
`AWS-GR_ELASTICSEARCH_IN_VPC_ONLY`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1
`AWS-GR_EMR_MASTER_NO_PUBLIC_IP`	af-south-1, ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1
`AWS-GR_ENCRYPTED_VOLUMES`	af-south-1, ap-northeast-3, eu-south-1, il-central-1
`AWS-GR_IAM_USER_MFA_ENABLED`	ap-south-2, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED`	eu-south-2
`AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS`	ap-south-2, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW`	ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-5, ca-west-1, eu-south-2
`AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK`	ap-south-2, eu-south-2
`AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED`	af-south-1, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1
`AWS-GR_RDS_STORAGE_ENCRYPTED`	eu-central-2, eu-south-2
`AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK`	ap-south-2, ap-southeast-3, ap-southeast-5, ca-west-1, eu-south-2
`AWS-GR_RESTRICTED_SSH`	af-south-1, eu-south-1
`AWS-GR_ROOT_ACCOUNT_MFA_ENABLED`	ap-southeast-5, ca-west-1, il-central-1, me-central-1
`AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC`	eu-central-2, eu-south-2, il-central-1
`AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS`	af-south-1, ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1
`AWS-GR_SSM_DOCUMENT_NOT_PUBLIC`	ap-southeast-5, ca-west-1, il-central-1
`AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED`	ap-northeast-3
`BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1
`BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK`	ap-south-2, ap-southeast-3, ap-southeast-4, ap-southeast-5, ca-west-1, eu-central-2, eu-south-2, il-central-1, me-central-1

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Request a quota increase

Limitations based on underlying AWS services