How do I enable a security framework for an account in AWS Control Tower?

0

We've configured AWS Control Tower for our organization, and under AWS Control Tower -> Controls library: Categories -> Frameworks I see a number of frameworks we would like to apply.

However, when I click on one of these, like 'CIS AWS Benchmark 1.4' for example, I only have the option to enable a single control at a time. How can I enable all the controls?

Is there a way to update my blueprint (hopefully im using the right terminology) to automatically apply one or more frameworks?

asked a year ago677 views
2 Answers
0

To apply all controls in a framework, you need to enable the framework control group.

Here are the steps to enable all controls for a framework in AWS Control Tower:

  1. Go to AWS Control Tower console and select your landing zone.
  2. Navigate to the "Controls library" section in the left-hand menu.
  3. Click on the "Categories" tab and select the framework you want to enable.
  4. Click on the "Control Groups" tab, and then click on the control group that has the same name as the framework.
  5. Click on the "Enable" button in the top right corner of the screen.

This will enable all the controls within the selected framework.

To apply multiple frameworks, you can create a custom control set that includes all the controls you want to apply. Here are the steps to create a custom control set:

  1. Go to AWS Control Tower console and select your landing zone.
  2. Navigate to the "Controls library" section in the left-hand menu.
  3. Click on the "Custom control sets" tab, and then click on the "Create control set" button.
  4. Give your custom control set a name and description, and then click on the "Create" button.
  5. Click on the "Add control" button and select the controls you want to include in your control set.
  6. Once you have selected all the controls you want to include, click on the "Save" button.

You can then apply your custom control set to all your accounts within your AWS Control Tower landing zone.

profile picture
EXPERT
answered a year ago
  • Thanks for your reply. On step 3 of the first option you say "Click on the "Categories" tab and select the framework you want to enable." On the categories tab, I dont see a list of frameworks, I see 3 tabs: Control objectives, services and frameworks.

    When I click on frameworks, and I select one, the only option is to 'View Details'...or click on it. When I do I see all the controls but now way to enable them beyond clicking each in turn.

    I also do not see "Custom control sets" under the controls library.

  • Seconding @rePost-User-8472021 's comment. There's no "Control Groups" tab and no way I can see to enable these controls in bulk

0

How to enable Controls to OU [1]:

`

1. Navigate to AWS Control Tower and select the Categories tab from the Controls library and select "All Controls".
2. Choose a control you want to enable.
3. From Organizational units enabled, choose Enable control on OU.
4. A new page is displayed that lists the names of your OUs. Identify the OU on which you want to enable this control.
5. Choose Enable control on OU.
6. Your control is now enabled. It may take several minutes for the change to complete. When it does, you'll see that this control is applied to the OU you selected.

`

Below is a command that you can use to execute the controls via CLI. Please note that Control Tower controls are typically applied at the OU level when using this commmand below:

aws controltower enable-control --control-identifier <The ARN of the control> --target-identifier <The ARN of the organizational unit> Please note that this command does not apply for bulk controls.

An entire framework cannot be enabled and you can only enabled individual controls. These controls are mapped to NIST with their metadata. NIST Framework is pre-mapped to the existing controls.

Considerations when enabling:


- Certain controls may require a prerequisite control to be enabled and certain controls are enabled by default.
- You can achieve enabling multiple controls in Control Tower using Landing Zone Accelerator and CloudFormation [2].
- There are controls which may require a prerequisite control to be enabled before you can utilize them.
- Certain controls are enabled by default.

Reference link(s):

[1] - Enable controls on an OU from the console https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls-on-ou.html

profile pictureAWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions