Optional controls - AWS Control Tower

Optional controls

Optional controls in AWS Control Tower are applied at the OU level. You can activate and deactivate these optional controls through the AWS Control Tower console, or by means of the control APIs.

AWS Control Tower offers several types of optional controls:

The strongly recommended and elective controls owned by AWS Control Tower are optional, which means that you can customize the level of enforcement for OUs in your landing zone by choosing which ones to enable. Optional controls are not enabled by default. For more information about optional controls, see the following control reference pages in the next sections.

Note

It is important to know that some detective controls in AWS Control Tower do not operate in certain AWS Regions where AWS Control Tower is available, because those Regions do not support the required underlying functionality. As a result, when you deploy a detective control, the control may not be operating in all Regions that you govern with AWS Control Tower. For details, see Control limitations and Security Hub controls.

You can view the Regions for each control in the AWS Control Tower console, or by calling the GetControl API that is part of the Control Catalog namespace.

For more information about the detective controls that cannot be deployed in certain Regions, see the Regional services list documentation to learn more about the Regions where AWS Config is available. If the detective control is implemented as a managed AWS Config rule, see the Security Hub controls reference documentation.