Optional controls

Optional controls in AWS Control Tower are applied at the OU level. You can activate and deactivate these optional controls through the AWS Control Tower console, or by means of the control APIs.

AWS Control Tower offers several types of optional controls:

Proactive controls, which are based on AWS CloudFormation hooks.
Controls implemented with resource control policies (RCPs), which are based on RCPs from AWS Organizations. For more information, see Resource control policies in the AWS Organizations documentation.
Controls implemented with declarative policies, which are based on declarative policies from AWS Organizations. For more information, see Declarative policies in the AWS Organizations documentation.
Security Hub controls, which are based on AWS Config rules – these controls are owned by Security Hub and integrated with AWS Control Tower, by means of the Service-Managed Standard: AWS Control Tower.
Digital sovereignty controls, which are elective controls based on SCPs and AWS Config rules, implemented within AWS Control Tower. This group includes the data residency controls.
Strongly recommended controls, which are based on SCPs and AWS Config rules, implemented within AWS Control Tower.
Elective controls, which are based on SCPs and AWS Config rules, implemented within AWS Control Tower.

The strongly recommended and elective controls owned by AWS Control Tower are optional, which means that you can customize the level of enforcement for OUs in your landing zone by choosing which ones to enable. Optional controls are not enabled by default. For more information about optional controls, see the following control reference pages in the next sections.

Note

It is important to know that some detective controls in AWS Control Tower do not operate in certain AWS Regions where AWS Control Tower is available, because those Regions do not support the required underlying functionality. As a result, when you deploy a detective control, the control may not be operating in all Regions that you govern with AWS Control Tower. For details, see Control limitations and Security Hub controls.

You can view the Regions for each control in the AWS Control Tower console, or by calling the GetControl API that is part of the Control Catalog namespace.

For more information about the detective controls that cannot be deployed in certain Regions, see the Regional services list documentation to learn more about the Regions where AWS Config is available. If the detective control is implemented as a managed AWS Config rule, see the Security Hub controls reference documentation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Parameterized controls

Strongly recommended controls