Preventive vs. Proactive vs. Detective Controls in AWS Control Tower

Getting Started with Controls

Approaching the task of enabling Control Tower Controls beyond the default Required Controls can be a daunting task with 500+ controls and various Control Types. A great first step would be to enable controls that have a guidance value of Strongly Recommended. You can filter controls in the controls library based on guidance, type, control objective, compliance framework, and more. To aid in your journey of enabling the right controls for your multi-account Landing Zone, it is recommended that you understand the Control Types and how they are enforced as outlined below.

Preventive Controls

Preventive controls leverage Service Control Policies (SCPs) to stop non-compliant actions before they occur. Common use cases for Preventive Controls would be:

• Restricting the creation of public S3 buckets
• Enforcing encryption for data at rest and in transit
• Disallow actions as a root user (Strongly Recommended)
• Disallow creation of access keys for the root user (Strongly Recommended)

Proactive Controls

Proactive controls leverage CloudFormation Hooks to stop non-compliant resources from being created. Proactive controls may not affect requests that are made directly to services through the AWS console, through AWS APIs, or through other means such as AWS SDKs, or other Infrastructure-as-Code (IaC) tools. Common use cases for Proactive Controls would be:

• Require an Amazon RDS database instance to have minor version upgrades configured
• Require that AWS Identity and Access Management (IAM) inline policies do not have wildcard service actions
• Require an Amazon ECS container to run as non-privileged

Detective Controls

Detective controls leverage AWS Config to track the compliance status of existing resources. Common use cases for Detective Controls would be:

• Detect whether encryption is enabled for Amazon EBS volumes attached to Amazon EC2 instances (Strongly Recommended)
• Detect whether unrestricted internet connection through SSH is allowed (Strongly Recommended)
• Detect whether public access to Amazon RDS database instances is enabled (Strongly Recommended)

What next?

The best controls will not only be effective according to your specific requirements, but will also be controls that your organization is equipped to properly manage. You can enable many Detective Controls, but if no one is monitoring and responding to resources out of compliance they are of little value. Preventive Controls are an appealing next step beyond Strongly Recommended controls as they stop non-compliant actions before they occur. Be mindful of how you go about enabling these controls as they can have a broad impact. It is recommended that you enable controls in a test/staging OU prior to moving on to enabling them on production OU's that have critical workloads running in them.

For more detail on all of the Control Tower Controls see the Controls Library. [1]

[1] https://docs.aws.amazon.com/controltower/latest/controlreference/controls-reference.html