Preventive controls

A preventive control ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations. The status of a preventive control is either enforced or not enabled. Preventive controls are supported in all AWS Regions.

Preventive controls are implemented using service control policies (SCPs), or resource control policies (RCPs), each of which are part of AWS Organizations.
Regarding nested OUs, preventive controls enabled on any OUs higher in the tree will apply to unregistered OUs in that tree.
When you enable controls on an organizational unit (OU) that is registered with AWS Control Tower, preventive controls apply to all member accounts under the OU, enrolled and unenrolled.

Note

The AWS Control Tower mandatory controls have preventive behavior, except three that are detective. See Mandatory controls.

Detect Public Read Access Setting for Log Archive
Detect Public Write Access Setting for Log Archive
Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS WAFV2 controls

About RCP controls