Morioh
Login
Ruby Schmitt

Ruby Schmitt

3 years ago

This article is part of a series starting with AWS Control Tower By Example: Part 1.

Guardrails

While learning much of AWS Control Tower is about understanding how it configures other AWS services, e.g., AWS SSO, Guardrails are distinct to AWS Control Tower.

A guardrail is a high-level rule that provides ongoing governance for your overall AWS environment. It’s expressed in plain language. Through guardrails, AWS Control Tower implements preventive or detective controls that help you govern your resources and monitor compliance across groups of AWS accounts.

A guardrail applies to an entire organizational unit (OU), and every AWS account within the OU is affected by the guardrail. Therefore, when users perform work in any AWS account in your landing zone, they’re always subject to the guardrails that are governing their account’s OU.

_— AWS — _[Guardrails in AWS Control Tower]

There are two types of Guardrails:

Prevention — A preventive guardrail ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations.

Detection — A detective guardrail detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard.

_— AWS — _[Guardrails in AWS Control Tower]
As of the writing of this article, there are 22 Mandatory, 11 Strongly Recommended, and 5 Elective Guardrails; a mix of both Prevention and Detection Guardrails. When you create a new landing zone, only the mandatory guardrails are enabled by default.

To illustrate a Guardrail in action, we go ahead and enable the Enable MFA for the root user detective Guardrail on the Core OU. Given that we did not enable MFA for the root user in either the Log Archive or Audit Accounts, we observe:

  • You will get 10 emails to the root user email address for the Audit Account entitled _Config Rules Compliance Change _that an AWS Config rule, AWSControlTower_AWS-GR_ROOT_ACCOUNT_MFA_ENABLED, is noncompliant (we will explore why 10 below)
  • The AWS Control Tower Dashboard indicates that both the Audit and Log Archive Accounts are now _Noncompliant _(spelling per UI)

#aws-control-tower #aws

AWS Control Tower By Example: Part 2

codeburst.io

AWS Control Tower By Example: Part 2

We continue to build out a multi-account AWS environment focusing on Guardrails and the Account Factory. While learning much of AWS Control Tower is about understanding how it configures other AWS services, e.g., AWS SSO, Guardrails are distinct to AWS Control Tower.

1.80 GEEK