AWS Control Tower Guardrails¶

AWS Control Tower Guardrails are high-level rules that provide ongoing governance for AWS Control Tower environments. These guardrails help enforce policies and detect non-compliance across multi-account AWS environments using preventive and detective controls. Control Tower is designed for enterprises managing multiple AWS accounts within an AWS Organizations structure.

Terraform Registry Subdomain: awscontroltower¶

module "..." {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://awscontroltower.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• Attached EBS volumes should have encryption enabled
• EC2 instance should have EBS optimization enabled
• RDS DB instance encryption at rest should be enabled
• RDS DB instances should prohibit public access
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 bucket versioning should be enabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with AWS Control Tower Guardrails compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://awscontroltower.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=ebs_attached_volume_encryption_enabled,ec2_instance_ebs_optimized"
}