- Newest
- Most votes
- Most comments
To apply all controls in a framework, you need to enable the framework control group.
Here are the steps to enable all controls for a framework in AWS Control Tower:
- Go to AWS Control Tower console and select your landing zone.
- Navigate to the "Controls library" section in the left-hand menu.
- Click on the "Categories" tab and select the framework you want to enable.
- Click on the "Control Groups" tab, and then click on the control group that has the same name as the framework.
- Click on the "Enable" button in the top right corner of the screen.
This will enable all the controls within the selected framework.
To apply multiple frameworks, you can create a custom control set that includes all the controls you want to apply. Here are the steps to create a custom control set:
- Go to AWS Control Tower console and select your landing zone.
- Navigate to the "Controls library" section in the left-hand menu.
- Click on the "Custom control sets" tab, and then click on the "Create control set" button.
- Give your custom control set a name and description, and then click on the "Create" button.
- Click on the "Add control" button and select the controls you want to include in your control set.
- Once you have selected all the controls you want to include, click on the "Save" button.
You can then apply your custom control set to all your accounts within your AWS Control Tower landing zone.
How to enable Controls to OU [1]:
`
1. Navigate to AWS Control Tower and select the Categories tab from the Controls library and select "All Controls".
2. Choose a control you want to enable.
3. From Organizational units enabled, choose Enable control on OU.
4. A new page is displayed that lists the names of your OUs. Identify the OU on which you want to enable this control.
5. Choose Enable control on OU.
6. Your control is now enabled. It may take several minutes for the change to complete. When it does, you'll see that this control is applied to the OU you selected.
`
Below is a command that you can use to execute the controls via CLI. Please note that Control Tower controls are typically applied at the OU level when using this commmand below:
aws controltower enable-control --control-identifier <The ARN of the control> --target-identifier <The ARN of the organizational unit>
Please note that this command does not apply for bulk controls.
An entire framework cannot be enabled and you can only enabled individual controls. These controls are mapped to NIST with their metadata. NIST Framework is pre-mapped to the existing controls.
Considerations when enabling:
- Certain controls may require a prerequisite control to be enabled and certain controls are enabled by default.
- You can achieve enabling multiple controls in Control Tower using Landing Zone Accelerator and CloudFormation [2].
- There are controls which may require a prerequisite control to be enabled before you can utilize them.
- Certain controls are enabled by default.
Reference link(s):
[1] - Enable controls on an OU from the console https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls-on-ou.html
Relevant content
- asked 6 months ago
- asked 3 years ago
- asked 6 months ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for your reply. On step 3 of the first option you say "Click on the "Categories" tab and select the framework you want to enable." On the categories tab, I dont see a list of frameworks, I see 3 tabs: Control objectives, services and frameworks.
When I click on frameworks, and I select one, the only option is to 'View Details'...or click on it. When I do I see all the controls but now way to enable them beyond clicking each in turn.
I also do not see "Custom control sets" under the controls library.
Seconding @rePost-User-8472021 's comment. There's no "Control Groups" tab and no way I can see to enable these controls in bulk