AWS Control Tower - Guardrails strongly recommended and elective


Hello team.

I am enabling controls in Control Tower for OU that contains Shared Account (Log and Audit) and others OUs.

I have enabled this control: Disallow Actions as a Root User, but when the user root try to add MFA, it is not possible. For this case, how should I proceed? Should I disable the control at OU level, the configure MFA, and finally to enable control again?, or create new temporary OU without controls for new enrolled accounts?. Usually how do you handle this scenario?

Also, I am going to enable these controls: Disallow Changes to Encryption Configuration for Amazon S3 Buckets Disallow Changes to Logging Configuration for Amazon S3 Buckets Disallow Changes to Bucket Policy for Amazon S3 Buckets Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets Disallow Changes to Replication Configuration for Amazon S3 Buckets Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry

But, I have some doubts about what will happen after that. 1.- Will I be able to create new s3 buckets, with these controls enabled?, or I will receive error suchs as: You need the s3:PutEncryptionConfiguration, s3:PutBucketLogging, s3:PutBucketPolicy, etc.

2.- Will I be able to create new Cloudformation stacks?

3.-Since AWS Control Tower Account Factory permits to create new accounts using Stacksets, and this enables AWS Config, Cloudtrail. Will I have problems when I create new accounts?

4.-Will I have problems with S3 bucket for centralized logging?

In your experience, how do you handle these controls?

Thank you.

1 Answer

Enabling the "Disallow Actions as a Root User" will basically apply this SCP which will prevent you from setting up MFA for the root user. Disable it temporarily and follow the steps listed here to enable MFA for root. Once that is done re-enable the control.

With regards to the other controls we recommend that you create a PolicyStagingOU and test the effect of guardrails in that OU before you enable them on OUs that contain running workloads. Preventative guardrails/controls are implemented using SCPs behind the scenes. SCPs can cause issues especially in account that have workloads that provision or terminate resources through automation. We recommend that you test the effects of SCP in PolicyStagingOU before attaching them to the root.

Detective guardrails may not be as problematic as they are implemented as AWS Config rules behind the scenes and will only mark resources out of compliance, but won't necessarily prevent you from provisioning resources or making API calls.

Click here to learn more about the different types of controls.

This blog may also provide some useful information.

I hope this helps. Let me know if anything need clarification.

answered 8 months ago
  • Hello.

    Thank you for your answer.

    I understand if the elective controls were applied with success over current accounts, and in the future I need to create new accounts and create s3 buckets in that account, I should create account within a temporary OU?, because control named " Disallow Changes to Encryption Configuration for Amazon S3 Buckets" let me to create bucket but an error will appear: "Insufficient permissions to apply Default Encryption. You need the s3:PutEncryptionConfiguration permission to apply Default Encryption on this bucket. After you or your AWS admin has updated your IAM permissions to allow s3:PutEncryptionConfiguration, go to edit Default Encryption."

    When project or implementation s3 buckets finish, I could move that account to the final OU.?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions