New for Amazon Web Services Control Tower – Comprehensive Controls Management (Preview)

{"value":"Today, customers in regulated industries face the challenge of defining and enforcing controls needed to meet compliance and security requirements while empowering engineers to make their design choices. In addition to addressing risk, reliability, performance, and resiliency requirements, organizations may also need to comply with frameworks and standards such as [PCI DSS ](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/)and [NIST 800-53](https://aws.amazon.com/compliance/nist/).\n\nBuilding controls that account for service relationships and their dependencies is time-consuming and expensive. Sometimes customers restrict engineering access to Amazon Web Services services and features until their cloud architects identify risks and implement their own controls.\n\nTo make that easier, today we are launching comprehensive controls management in Amazon Web Services Control Tower. You can use it to apply managed preventative, detective, and proactive controls to accounts and organizational units (OUs) by service, control objective, or compliance framework. Amazon Web Services Control Tower does the mapping between them on your behalf, saving time and effort.\n\nWith this new capability, you can now also use Amazon Web Services Control Tower to turn on [Amazon Web Services Security Hub](https://aws.amazon.com/security-hub/) detective controls across all accounts in an OU. In this way, Security Hub controls are enabled in every [Amazon Web Services Region](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/) that Amazon Web Services Control Tower governs.\n\nLet’s see how this works in practice.\n\n**++Using Amazon Web Services Control Tower Comprehensive Controls Management++**\n\nIn the [Amazon Web Services Control Tower console](https://console.aws.amazon.com/controltower), there is a new **Controls library** section. There, I choose **All controls**. There are now more than three hundred controls available. For each control, I see which Amazon Web Services service it is related to, the control objective this control is part of, the implementation (such as [Amazon Web Services Config](https://aws.amazon.com/config/) rule or [Amazon Web Services CloudFormation](https://aws.amazon.com/cloudformation/) [Guard ](https://docs.aws.amazon.com/cfn-guard/latest/ug/what-is-guard.html)rule), the behavior (preventive, detective, or proactive), and the frameworks it maps to (such as NIST 800-53 or PCI DSS).\n\n\n\nIn the **Find controls** search box, I look for a preventive control called **CT.CLOUDFORMATION.PR.1**. This control uses a [service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to protect controls that use [CloudFormation hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html) and is required by the control that I want to turn on next. Then, I choose **Enable control**.\n\n\n\nThen, I select the OU for which I want to enable this control.\n\n\n\nNow that I have set up this control, let’s see how controls are presented in the console in categories. I choose **Categories** in the navigation pane. There, I can browse controls grouped as **Frameworks**, **Services**, and **Control objectives**. By default, the **Frameworks** tab is selected.\n\n\n\nI select a framework (for example, **PCI DSS version 3.2.1**) to see all the related controls and control objectives. To implement a control, I can select the control from the list and choose **Enable control**.\n\n\n\nI can also manage controls by Amazon Web Services service. When I select the **Services** tab, I see a list of Amazon Web Services services and the related control objectives and controls.\n\n\n\nI choose [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) to see the controls that I can turn on for this service.\n\n\n\nI select the **Control objectives** tab. When I need to assess a control objective, this is where I have access to the list of related controls to turn on.\n\n\n\nI choose **Encrypt data at rest** to see and search through the available controls for that control objective. I can also check which services are covered in this specific case. I type```RDS``` in the search bar to find the controls related to [Amazon Relational Database Service (RDS)](https://aws.amazon.com/rds/) for this control objective.\n\nI choose **CT.RDS.PR.16 – Require an [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) database cluster to have encryption at rest configured** and then **Enable control**.\n\n\n\nI select the OU for which I want to enable the control for, and I proceed. All the Amazon Web Services accounts in this organization’s OU will have this control enabled in all the Regions that Amazon Web Services Control Tower governs.\n\n\n\nAfter a few minutes, the Amazon Web Services Control Tower setup is updated. Now, the accounts in this OU have proactive control **CT.RDS.PR.16** turned on. When an account in this OU deploys a CloudFormation stack, any [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) database cluster has to have encryption at rest configured. Because this control is proactive, it’ll be checked by a CloudFormation hook before the deployment starts. This saves a lot of time compared to a detective control that would find the issue only when the CloudFormation deployment is in progress or has terminated. This also improves my security posture by preventing something that’s not allowed as opposed to reacting to it after the fact.\n\n**++Availability and Pricing++**\n\nComprehensive controls management is available in preview today in all Amazon Web Services Regions where Amazon Web Services Control Tower is offered. These enhanced control capabilities reduce the time it takes you to vet Amazon Web Services services from months or weeks to minutes. They help you use Amazon Web Services by undertaking the heavy burden of defining, mapping, and managing the controls required to meet the most common control objectives and regulations.\n\nThere is no additional charge to use these new capabilities during the preview. However, when you set up Amazon Web Services Control Tower, you will begin to incur costs for Amazon Web Services services configured to set up your landing zone and mandatory controls. For more information, see [Amazon Web Services Control Tower pricing](https://aws.amazon.com/controltower/pricing/).\n\n[Simplify how you implement compliance and security requirements with Amazon Web Services Control Tower.\\n](https://aws.amazon.com/controltower/?control-blogs.sort-by=item.additionalFields.createdDate&control-blogs.sort-order=desc)\n\n— [Danilo](https://twitter.com/danilop)\n\n\n\n\n### **[Danilo Poccia](https://aws.amazon.com/blogs/aws/author/danilop/)**\n\nDanilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of Amazon Web Services Lambda in Action from Manning.","render":"<p>Today, customers in regulated industries face the challenge of defining and enforcing controls needed to meet compliance and security requirements while empowering engineers to make their design choices. In addition to addressing risk, reliability, performance, and resiliency requirements, organizations may also need to comply with frameworks and standards such as <a href=\\"https://aws.amazon.com/compliance/pci-dss-level-1-faqs/\\" target=\\"_blank\\">PCI DSS </a>and <a href=\\"https://aws.amazon.com/compliance/nist/\\" target=\\"_blank\\">NIST 800-53</a>.</p>\\n<p>Building controls that account for service relationships and their dependencies is time-consuming and expensive. Sometimes customers restrict engineering access to Amazon Web Services services and features until their cloud architects identify risks and implement their own controls.</p>\n<p>To make that easier, today we are launching comprehensive controls management in Amazon Web Services Control Tower. You can use it to apply managed preventative, detective, and proactive controls to accounts and organizational units (OUs) by service, control objective, or compliance framework. Amazon Web Services Control Tower does the mapping between them on your behalf, saving time and effort.</p>\n<p>With this new capability, you can now also use Amazon Web Services Control Tower to turn on <a href=\\"https://aws.amazon.com/security-hub/\\" target=\\"_blank\\">Amazon Web Services Security Hub</a> detective controls across all accounts in an OU. In this way, Security Hub controls are enabled in every <a href=\\"https://aws.amazon.com/about-aws/global-infrastructure/regions_az/\\" target=\\"_blank\\">Amazon Web Services Region</a> that Amazon Web Services Control Tower governs.</p>\\n<p>Let’s see how this works in practice.</p>\n<p><strong><ins>Using Amazon Web Services Control Tower Comprehensive Controls Management</ins></strong></p>\n<p>In the <a href=\\"https://console.aws.amazon.com/controltower\\" target=\\"_blank\\">Amazon Web Services Control Tower console</a>, there is a new <strong>Controls library</strong> section. There, I choose <strong>All controls</strong>. There are now more than three hundred controls available. For each control, I see which Amazon Web Services service it is related to, the control objective this control is part of, the implementation (such as <a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">Amazon Web Services Config</a> rule or <a href=\\"https://aws.amazon.com/cloudformation/\\" target=\\"_blank\\">Amazon Web Services CloudFormation</a> <a href=\\"https://docs.aws.amazon.com/cfn-guard/latest/ug/what-is-guard.html\\" target=\\"_blank\\">Guard </a>rule), the behavior (preventive, detective, or proactive), and the frameworks it maps to (such as NIST 800-53 or PCI DSS).</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/599a1ff38ee24a928a26c36acda4c1ef_image.png\\" alt=\\"image.png\\" /></p>\n<p>In the <strong>Find controls</strong> search box, I look for a preventive control called <strong>CT.CLOUDFORMATION.PR.1</strong>. This control uses a <a href=\\"https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html\\" target=\\"_blank\\">service control policy (SCP)</a> to protect controls that use <a href=\\"https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html\\" target=\\"_blank\\">CloudFormation hooks</a> and is required by the control that I want to turn on next. Then, I choose <strong>Enable control</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/c16b493227f7498d8aca74f150c6d0b1_image.png\\" alt=\\"image.png\\" /></p>\n<p>Then, I select the OU for which I want to enable this control.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/0702eb1b919c469099b4389db6382c46_image.png\\" alt=\\"image.png\\" /></p>\n<p>Now that I have set up this control, let’s see how controls are presented in the console in categories. I choose <strong>Categories</strong> in the navigation pane. There, I can browse controls grouped as <strong>Frameworks</strong>, <strong>Services</strong>, and <strong>Control objectives</strong>. By default, the <strong>Frameworks</strong> tab is selected.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/8013a80545aa4e2ea7a4da9f6246bf86_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select a framework (for example, <strong>PCI DSS version 3.2.1</strong>) to see all the related controls and control objectives. To implement a control, I can select the control from the list and choose <strong>Enable control</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/defaa0021ca349929595c5d93013b323_image.png\\" alt=\\"image.png\\" /></p>\n<p>I can also manage controls by Amazon Web Services service. When I select the <strong>Services</strong> tab, I see a list of Amazon Web Services services and the related control objectives and controls.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/eadd489e9a994de8bdede906bbf2a4fe_image.png\\" alt=\\"image.png\\" /></p>\n<p>I choose <a href=\\"https://aws.amazon.com/dynamodb/\\" target=\\"_blank\\">Amazon DynamoDB</a> to see the controls that I can turn on for this service.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/22e2fe2ba09f4ebfac51de1fc8eccb64_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select the <strong>Control objectives</strong> tab. When I need to assess a control objective, this is where I have access to the list of related controls to turn on.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/340f94b621dc4170b29d3b92d4d99971_image.png\\" alt=\\"image.png\\" /></p>\n<p>I choose <strong>Encrypt data at rest</strong> to see and search through the available controls for that control objective. I can also check which services are covered in this specific case. I type<code>RDS</code> in the search bar to find the controls related to <a href=\\"https://aws.amazon.com/rds/\\" target=\\"_blank\\">Amazon Relational Database Service (RDS)</a> for this control objective.</p>\\n<p>I choose <strong>CT.RDS.PR.16 – Require an Amazon RDS database cluster to have encryption at rest configured</strong> and then <strong>Enable control</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/8f68842a84d741c1a1081585c2e08a4f_image.png\\" alt=\\"image.png\\" /></p>\n<p>I select the OU for which I want to enable the control for, and I proceed. All the Amazon Web Services accounts in this organization’s OU will have this control enabled in all the Regions that Amazon Web Services Control Tower governs.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/2b226d5b59fd4317a6db22cc5368b28a_image.png\\" alt=\\"image.png\\" /></p>\n<p>After a few minutes, the Amazon Web Services Control Tower setup is updated. Now, the accounts in this OU have proactive control <strong>CT.RDS.PR.16</strong> turned on. When an account in this OU deploys a CloudFormation stack, any [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) database cluster has to have encryption at rest configured. Because this control is proactive, it’ll be checked by a CloudFormation hook before the deployment starts. This saves a lot of time compared to a detective control that would find the issue only when the CloudFormation deployment is in progress or has terminated. This also improves my security posture by preventing something that’s not allowed as opposed to reacting to it after the fact.</p>\\n<p><strong><ins>Availability and Pricing</ins></strong></p>\n<p>Comprehensive controls management is available in preview today in all Amazon Web Services Regions where Amazon Web Services Control Tower is offered. These enhanced control capabilities reduce the time it takes you to vet Amazon Web Services services from months or weeks to minutes. They help you use Amazon Web Services by undertaking the heavy burden of defining, mapping, and managing the controls required to meet the most common control objectives and regulations.</p>\n<p>There is no additional charge to use these new capabilities during the preview. However, when you set up Amazon Web Services Control Tower, you will begin to incur costs for Amazon Web Services services configured to set up your landing zone and mandatory controls. For more information, see <a href=\\"https://aws.amazon.com/controltower/pricing/\\" target=\\"_blank\\">Amazon Web Services Control Tower pricing</a>.</p>\\n<p><a href=\\"https://aws.amazon.com/controltower/?control-blogs.sort-by=item.additionalFields.createdDate&amp;control-blogs.sort-order=desc\\" target=\\"_blank\\">Simplify how you implement compliance and security requirements with Amazon Web Services Control Tower.<br />\\n</a></p>\\n<p>— <a href=\\"https://twitter.com/danilop\\" target=\\"_blank\\">Danilo</a></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/d13d88954fc94df9af3ae764d2da31e2_6465c675a51d44aca59965f281504693_image%283%29.png\\" alt=\\"6465c675a51d44aca59965f281504693_image3.png\\" /></p>\n<h3><a id=\\"Danilo_Pocciahttpsawsamazoncomblogsawsauthordanilop_70\\"></a><strong><a href=\\"https://aws.amazon.com/blogs/aws/author/danilop/\\" target=\\"_blank\\">Danilo Poccia</a></strong></h3>\n<p>Danilo works with startups and companies of any size to support their innovation. In his role as Chief Evangelist (EMEA) at Amazon Web Services, he leverages his experience to help people bring their ideas to life, focusing on serverless architectures and event-driven programming, and on the technical and business impact of machine learning and edge computing. He is the author of Amazon Web Services Lambda in Action from Manning.</p>\n"}