控制限制

AWS Control Tower AWS 透過以各種形式實作的控制項，例如服務控制政策 (SCPs)、 AWS Config 規則和 AWS CloudFormation 勾點，協助您在上維護安全的多帳戶環境。

控制項參考指南

如果您修改 AWS Control Tower 資源，例如 SCP，或移除任何 AWS Config 資源，例如 Config 記錄器或彙總器，AWSControl Tower 無法再保證控制項如設計般運作。因此，多帳戶環境的安全性可能會受到影響。 AWS 共同的責任模型適用於您可能進行的任何此類變更。

注意

AWS Control Tower 會在您更新登陸區域時，將預防性控制項SCPs的重設為標準組態，以維護您環境的完整性。您可能對所做的變更SCPs，會由設計取代為標準版本的控制項。

區域限制

AWS Control Tower 中的某些控制項不會在特定 AWS 區域中運作，因為 AWS Control Tower 可用，因為這些區域不支援所需的基礎功能。因此，當您部署該控制項時，它可能不在您透過 AWS Control Tower 管理的所有區域中運作。此限制會影響 Security Hub Service 受管標準：AWSControl Tower 中的特定偵測控制、特定主動控制和特定控制。如需區域可用性的詳細資訊，請參閱 Security Hub 控制項。另請參閱區域服務清單文件和 Security Hub 控制參考文件。

在混合控管的情況下，控制行為也會受到限制。如需詳細資訊，請參閱設定區域時避免混合控管。

如需 AWS Control Tower 如何管理區域和控制項限制的詳細資訊，請參閱啟用 AWS 選擇加入區域的考量事項。

注意

如需控制和區域支援的最新資訊，建議您呼叫 GetControl和 ListControlsAPI操作。

尋找可用的控制項和區域

您可以在 AWS Control Tower 主控台中檢視每個控制項的可用區域。您可以使用 GetControl和 ListControls APIs Control AWS Catalog，以程式設計方式檢視可用的區域。

另請參閱 AWS控制塔控制項參考指南中的控制塔控制項和支援的區域、依區域的控制可用性參考表。 AWS

如需 AWS Security Hub 來自服務受管標準：控制塔中某些不支援的AWS控制項的相關資訊 AWS 區域，請參閱 Security Hub 標準中的「不支援的區域」。

下表顯示特定中不支援的特定主動控制 AWS 區域。

控制識別符	不可部署的區域
`CT.DAX.PR.2`	ap-southeast-5、ca-west-1、us-west-1
`CT.REDSHIFT.PR.5`	ap-south-2、ap-southeast-3、ap-southeast-4、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1

下表顯示某些不支援的 AWS Control Tower 偵測控制項 AWS 區域。

控制識別符	不可部署區域
`API_GW_CACHE_ENABLED_AND_ENCRYPTED`	ap-southeast-5、ca-west-1
`APPSYNC_ASSOCIATED_WITH_WAF`	af-south-1、ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`AUTOSCALING_CAPACITY_REBALANCING`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED`	ap-northeast-3、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、il-central-1
`AWS-GR_DMS_REPLICATION_NOT_PUBLIC`	af-south-1、ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-1、eu-south-2、il-central-1、me-central-1
`AWS-GR_EBS_OPTIMIZED_INSTANCE`	ap-southeast-5、ca-west-1
`AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK`	eu-south-2
`AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP`	ap-northeast-3
`AWS-GR_EC2_VOLUME_INUSE_CHECK`	ap-southeast-5、ca-west-1
`AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS`	ap-southeast-5、ca-west-1
`AWS-GR_ELASTICSEARCH_IN_VPC_ONLY`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1
`AWS-GR_EMR_MASTER_NO_PUBLIC_IP`	af-south-1、ap-northeast-3、ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-1、eu-south-2、il-central-1、me-central-1
`AWS-GR_ENCRYPTED_VOLUMES`	af-south-1、ap-northeast-3、eu-south-1、il-central-1
`AWS-GR_IAM_USER_MFA_ENABLED`	ap-south-2、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED`	eu-south-2
`AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS`	ap-south-2、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW`	ap-northeast-3、ap-south-2、ap-southeast-3、ap-southeast-5、ca-west-1、eu-south-2
`AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK`	ap-south-2、eu-south-2
`AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED`	af-south-1、ap-southeast-4、eu-central-2、eu-south-1、eu-south-2、il-central-1
`AWS-GR_RDS_STORAGE_ENCRYPTED`	eu-central-2、eu-south-2
`AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK`	ap-south-2、ap-southeast-3、ap-southeast-5、ca-west-1、eu-south-2
`AWS-GR_RESTRICTED_SSH`	af-south-1、eu-south-1
`AWS-GR_ROOT_ACCOUNT_MFA_ENABLED`	ap-southeast-5、ca-west-1、il-central-1、me-central-1
`AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC`	eu-central-2、eu-south-2、il-central-1
`AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS`	af-south-1、ap-northeast-3、ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-1、eu-south-2、il-central-1、me-central-1
`AWS-GR_SSM_DOCUMENT_NOT_PUBLIC`	ap-southeast-5、ca-west-1、il-central-1
`AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED`	ap-northeast-3
`BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1
`BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK`	ap-south-2、ap-southeast-3、ap-southeast-4、ap-southeast-5、ca-west-1、eu-central-2、eu-south-2、il-central-1、me-central-1

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

請求提高配額

根據基礎 AWS 服務的限制