Last active
June 15, 2022 22:55
-
-
Save ctgardner/f0255f34820d8557704e1a9763dd9a08 to your computer and use it in GitHub Desktop.
AWS Control Tower guardrails reference
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Guidance | Behaviour | Description | Link | |
|---|---|---|---|---|
| Mandatory | Preventive | Disallow Changes to Encryption Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#disallow-changes-s3-buckets-created | |
| Mandatory | Preventive | Disallow Changes to Logging Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#disallow-logging-changes-s3-buckets-created | |
| Mandatory | Preventive | Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#disallow-policy-changes-s3-buckets-created | |
| Mandatory | Preventive | Disallow Changes to Lifecycle Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#disallow-lifecycle-changes-s3-buckets-created | |
| Mandatory | Preventive | Disallow Changes to Amazon CloudWatch Logs Log Groups set up by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#log-group-deletion-policy | |
| Mandatory | Preventive | Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#config-aggregation-authorization-policy | |
| Mandatory | Preventive | Disallow Deletion of Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#disallow-audit-bucket-deletion | |
| Mandatory | Detective | Detect Public Read Access Setting for Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#log-archive-public-read | |
| Mandatory | Detective | Detect Public Write Access Setting for Log Archive | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#log-archive-public-write | |
| Mandatory | Preventive | Disallow Configuration Changes to CloudTrail | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#cloudtrail-configuration-changes | |
| Mandatory | Preventive | Integrate CloudTrail Events with Amazon CloudWatch Logs | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#cloudtrail-integrate-events-logs | |
| Mandatory | Preventive | Enable CloudTrail in All Available Regions | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#cloudtrail-enable-region | |
| Mandatory | Preventive | Enable Integrity Validation for CloudTrail Log File | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#cloudtrail-enable-validation | |
| Mandatory | Preventive | Disallow Changes to Amazon CloudWatch Set Up by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#cloudwatch-disallow-changes | |
| Mandatory | Preventive | Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#cloudwatch-disallow-config-changes | |
| Mandatory | Preventive | Disallow Configuration Changes to AWS Config | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#config-disallow-changes | |
| Mandatory | Preventive | Enable AWS Config in All Available Regions | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#config-enable-regions | |
| Mandatory | Preventive | Disallow Changes to AWS Config Rules Set Up by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#config-rule-disallow-changes | |
| Mandatory | Preventive | Disallow Changes to AWS IAM Roles Set Up by AWS Control Tower and AWS CloudFormation | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#iam-disallow-changes | |
| Mandatory | Preventive | Disallow Changes to AWS Lambda Functions Set Up by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#lambda-disallow-changes | |
| Mandatory | Preventive | Disallow Changes to Amazon SNS Set Up by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#sns-disallow-changes | |
| Mandatory | Preventive | Disallow Changes to Amazon SNS Subscriptions Set Up by AWS Control Tower | https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html#sns-subscriptions-disallow-changes | |
| Strongly Recommended | Preventive | Disallow Creation of Access Keys for the Root User | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-access-keys | |
| Strongly Recommended | Preventive | Disallow Actions as a Root User | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-auser-actions | |
| Strongly Recommended | Detective | Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#ebs-enable-encryption | |
| Strongly Recommended | Detective | Detect Whether Unrestricted Incoming TCP Traffic is Allowed | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#rdp-disallow-internet | |
| Strongly Recommended | Detective | Detect Whether Unrestricted Internet Connection Through SSH is Allowed | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#ssh-disallow-internet | |
| Strongly Recommended | Detective | Detect Whether MFA for the Root User is Enabled | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#enable-root-mfa | |
| Strongly Recommended | Detective | Detect Whether Public Read Access to Amazon S3 Buckets is Allowed | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#s3-disallow-public-read | |
| Strongly Recommended | Detective | Detect Whether Public Write Access to Amazon S3 Buckets is Allowed | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#s3-disallow-public-write | |
| Strongly Recommended | Detective | Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-unattached-ebs | |
| Strongly Recommended | Detective | Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-not-ebs-optimized | |
| Strongly Recommended | Detective | Detect Whether Public Access to Amazon RDS Database Instances is Enabled | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-rds-public-access | |
| Strongly Recommended | Detective | Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-rds-snapshot-public-access | |
| Strongly Recommended | Detective | Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances | https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-rds-storage-unencrypted | |
| Elective | Preventive | Disallow Changes to Encryption Configuration for Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive] | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#log-archive-encryption-enabled | |
| Elective | Preventive | Disallow Changes to Logging Configuration for Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive] | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#log-archive-access-enabled | |
| Elective | Preventive | Disallow Changes to Bucket Policy for Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive] | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#log-archive-policy-changes | |
| Elective | Preventive | Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive] | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#log-archive-retention-policy | |
| Elective | Preventive | Disallow Changes to Replication Configuration for Amazon S3 Buckets | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#disallow-s3-ccr | |
| Elective | Preventive | Disallow Delete Actions on Amazon S3 Buckets Without MFA | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#disallow-s3-delete-mfa | |
| Elective | Detective | Detect Whether MFA is Enabled for AWS IAM Users | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#disallow-access-mfa | |
| Elective | Detective | Detect Whether MFA is Enabled for AWS IAM Users of the AWS Console | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#disallow-console-access-mfa | |
| Elective | Detective | Detect Whether Versioning for Amazon S3 Buckets is Enabled | https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html#disallow-s3-no-versioning | |
| Elective (Data Residency) | Preventive | Deny access to AWS based on the requested AWS Region | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#primary-region-deny-policy | |
| Elective (Data Residency) | Preventive | Disallow internet access for an Amazon VPC instance managed by a customer | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#disallow-vpc-internet-access | |
| Elective (Data Residency) | Preventive | Disallow Amazon Virtual Private Network (VPN) connections | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#prevent-vpn-connection | |
| Elective (Data Residency) | Preventive | Disallow cross-region networking for Amazon EC2, Amazon CloudFront and AWS Global Accelerator | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#prevent-cross-region-networking | |
| Elective (Data Residency) | Detective | Detect whether public IP addresses for Amazon EC2 autoscaling are enabled through launch configurations | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#autoscaling-launch-config-public-ip-disabled | |
| Elective (Data Residency) | Detective | Detect whether replication instances for AWS Database Migration Service are public | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#dms-replication-not-public | |
| Elective (Data Residency) | Detective | Detect whether Amazon EBS snapshots are restorable by all AWS accounts | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#ebs-snapshot-public-restorable-check | |
| Elective (Data Residency) | Detective | Detect whether any Amazon EC2 instance has an associated public IPv4 address | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#ec2-instance-no-public-ip | |
| Elective (Data Residency) | Detective | Detect whether Amazon S3 settings to block public access are set as true for the account | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#s3-account-level-public-access-blocks-periodic | |
| Elective (Data Residency) | Detective | Detects whether an Amazon EKS endpoint is blocked from public access | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#eks-endpoint-no-public-access | |
| Elective (Data Residency) | Detective | Detect whether an Amazon OpenSearch Service domain is in Amazon VPC | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#elasticsearch-in-vpc-only | |
| Elective (Data Residency) | Detective | Detect whether any Amazon EMR cluster master nodes have public IP addresses | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#emr-master-no-public-ip | |
| Elective (Data Residency) | Detective | Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#lambda-function-public-access-prohibited | |
| Elective (Data Residency) | Detective | Detect whether public routes exist in the route table for an Internet Gateway (IGW) | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#no-unrestricted-route-to-igw | |
| Elective (Data Residency) | Detective | Detect whether Amazon Redshift clusters are blocked from public access | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#redshift-cluster-public-access-check | |
| Elective (Data Residency) | Detective | Detect whether an Amazon SageMaker notebook instance allows direct internet access | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#sagemaker-notebook-no-direct-internet-access | |
| Elective (Data Residency) | Detective | Detect whether any Amazon VPC subnets are assigned a public IP address | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#subnet-auto-assign-public-ip-disabled | |
| Elective (Data Residency) | Detective | Detect whether AWS Systems Manager documents owned by the account are public | https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html#ssm-document-not-public |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
AWS Control Tower guardrails sourced from https://docs.aws.amazon.com/controltower/latest/userguide/guardrails-reference.html and transformed into CSV format.