Baseline types that apply at the OU level, for registering and updating OUs Baseline types that may apply to your landing zone or shared accounts Baselines and versioning defaults

Types of baselines

A baseline in AWS Control Tower is a group of resources and specific configurations that you can apply to a target. The most common baseline target may be an organizational unit (OU). For example, you can enable a baseline with an OU selected as a target, to register that OU into AWS Control Tower.

During landing zone setup, the baseline target may be a shared account or the landing zone as a whole. Certain baselines may be enabled and updated based on your landing zone settings and configurations. AWS Control Tower creates and deploys the resources to the target in the way that the baseline specifies.

When you enable a baseline for a target, the baseline is represented as an AWS CloudFormation resource, called an EnabledBaseline resource.

AWS Control Tower includes two general types of baselines:

Baseline types that can apply to an OU that's registered with AWS Control Tower, or to an OU that you intend to register by applying the baseline.
Baseline types that can apply to a landing zone or shared account, during initial set up or during a landing zone update.

Baseline types that apply at the OU level, for registering and updating OUs

Name: AWSControlTowerBaseline

Description: Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance.

Consideration: This baseline retains the settings of the landing zone Region deny control. In other words, if a Region is not allowed at the landing zone level, that Region is not allowed for that OU when you call the EnableBaseline API to register an OU.

Note
The OU-level Region deny control has no way to allow Regions that the landing zone Region deny control does not allow.

For more information, see How SCPs work with deny in the AWS Organizations documentation.

Recommendation: We recommend that you confirm the Regions in which your target OU may be running workloads, and check the results against the landing zone Region deny control, before you call the EnableBaseline API for the OU, or you could lose access to resources in certain Regions.
Name: BackupBaseline

Description: This baseline sets up resources and controls for member accounts within the target OU. These are required so that integration with AWS Backup can automate your data backup across AWS services, and centralize your backup policy management.

Consideration: Before you enable the BackupBaseline on a target OU, make sure that the AWSControlTowerBaseline is enabled on the target OU. That is, the target OU must be registered in AWS Control Tower.
- You can choose to activate AWS Backup during the process of creating your AWS Control Tower landing zone, or during a landing zone update process.
- The BackupBaseline is compatible with landing zone versions 3.1 and later.

Note

Landing zone baselines behave differently than OU-level baselines.

Baseline types that may apply to your landing zone or shared accounts

AWS Control Tower enables the baselines that apply at the landing zone level automatically, as part of the landing zone setup and update process. Baselines for your landing zone may change as you change your landing zone settings. For example, if you opt in for IAM Identity Center, AWS Control Tower can enable the latest version of the IdentityCenterBaseline baseline on your landing zone.

You can view the enabled baselines for your landing zone with the ListEnabledBaselines API call.

Note

Only the AWSControlTowerBaseline can be applied directly with the EnableBaseline API. Other baselines are managed automatically (AuditBaseline, LogArchiveBaseline). The status of IdentityCenterBaseline is provided as information when you apply the AWSControlTowerBaseline.

Name: AuditBaseline

Description: Sets up resources to monitor security and compliance of accounts in your organization. You cannot change this baseline, it is deployed by AWS Control Tower.
Name: LogArchiveBaseline

Description: Sets up a central repository for logs of API activities and resource configurations from accounts in your organization. You cannot change this baseline, it is deployed by AWS Control Tower.
Name: IdentityCenterBaseline

Description: Sets up shared resources for IAM Identity Center, which prepares the AWSControlTowerBaseline to set up Identity Center access for accounts.

Consideration: This baseline works only when you’ve selected IAM Identity Center as your identity provider at the time you set up your landing zone initially, or if you subsequently change your landing zone settings to enable IAM Identity Center for your landing zone. If you’re using a different identity provider, you won’t have access to enable this baseline.
Name: BackupCentralVaultBaseline

Description: Sets up the central AWS Backup vault in your organization.
Name: BackupAdminBaseline

Description: Sets up delegated admin and the AWS Backup Audit Manager.

Baselines and versioning defaults

If your AWS Control Tower landing zone is already set up, and then you choose to enable a landing zone baseline, AWS Control Tower enables the latest version of the baseline that is compatible with your landing zone version. If you choose to enable a baseline for an OU that is not already registered with AWS Control Tower, AWS Control Tower provides the latest compatible version of the baseline for that OU, automatically.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting

Partial enrollment