AWS Control Tower Guardrails | Overview.

AWS Control Tower  Guardrails - Overview.

Scope:

• Intro,
• Control Categories categorized by their guidance level,
• Implementation Types (three primary control ways),
• Key Governance Features,
• Table of Guardrail Types, Purpose and Enforcement Mechanism,
• Preventive Guardrails (SCPs) that stop actions before they happen,
• Table of Common Samples of Guardrail and Description,
• Detective Guardrails (AWS Config Rules),
• Guardrail Categories by Scope (three enforcement scopes) and Description,
• How Guardrails Work Under the Hood,
• Architecture Diagram and Guardrail Enforcement Flow,
• Guardrail Compliance & Drift Detection,
• Sample of “Disallow Public Access to S3 Buckets”,
• Guardrail Lifecycle,
• Monitoring Guardrails (Use cases),
• Table for Benefits of Guardrails & Description,
• Limitations & Considerations.

Intro:

• AWS Control Tower guardrails (now officially called controls) are high-level rules that provide ongoing governance for twtech AWS environment. 
• AWS Control Tower guardrails (controls) help ensure security, compliance, and operational best practices across all accounts in twtech Landing Zone. 

Control Categories categorized by their guidance level: 

• Mandatory: These are automatically enabled when you set up your landing zone and cannot be disabled. They protect the Control Tower environment itself (e.g., disallowing changes to IAM roles created by the service).
• Strongly recommended: These reflect common best practices for well-architected multi-account environments (e.g., detecting if MFA is enabled for the root user).
• Elective: These are optional rules you can choose to enable based on specific business needs, such as disallowing internet access through SSH. 

Implementation Types (three primary control ways): 

1. Preventive: These stop non-compliant actions from happening. They are implemented using Service Control Policies (SCPs) via AWS Organizations.
2. Detective: these monitor resources and alert you if they become non-compliant. They are implemented using AWS Config rules.
3. Proactive: these evaluate resources before deployment (e.g., checking CloudFormation templates) to prevent the creation of non-compliant infrastructure. 

Key Governance Features

• Regional governance: twtech can apply Region Deny controls to restrict resource provisioning to specific approved AWS Regions.
• API automation: twtech can manage controls programmatically using the Control Tower APIs to enable or disable them across OUs.
• Drift detection: The dashboard identifies "drift," which occurs when changes are made outside of Control Tower that conflict with twtech established controls.

The Concept of  AWS Control Tower Guardrails (deep dive)

• Guardrails are preconfigured, automated governance controls in AWS Control Tower.
  
• Guardrails help ensure twtech accounts stay compliant with AWS best practices and organizational policies.
• Guardrails operate across multiple accounts and Organizational Units (OUs) by using:
• Service Control Policies (SCPs) for preventive controls
• AWS Config Rules for detective controls
• Guardrails are applied to Organizational Units (OUs).
• Guardrails are not applied to individual accounts
• Guardrails ensurs consistent enforcement across twtech multi-account setup.

 Table of Guardrail Types, Purpose and Enforcement mechanism

Type	Purpose	Enforcement Mechanism
Preventive Guardrails	Block specific actions that violate policy	Service Control Policies (SCPs) in AWS Organizations
Detective Guardrails	Continuously monitor compliance; notify when violations occur	AWS Config Rules
Mandatory Guardrails	Always enabled by Control Tower; cannot be disabled	Mix of SCPs + Config
Strongly Recommended Guardrails	Suggested best practices; can be optionally enabled	SCPs or Config
Elective Guardrails	Optional governance rules for additional control	SCPs or Config

 Preventive Guardrails (SCPs) that stop actions before they happen.

• Preventive guardrails are implemented through AWS Organizations SCPs attached to OUs.
• If a user or role tries to perform a restricted action, it’s denied (blocked) at the AWS Organizations level — even if IAM permissions allow the action(s).

 Table of Common Samples of Guardrail and Description:

Guardrail	Description
Disallow changes to AWS Control Tower resources	Prevents modifications to landing zone baseline resources.
Disallow public read access to S3 buckets	Blocks users from setting S3 ACLs or bucket policies that make data public.
Disallow root user access	Prevents use of the root account credentials.
Restrict regions	Limits resource creation to approved regions only.

 Detective Guardrails (AWS Config Rules)

• Detective guardrails monitor and detect when resources drift from compliance or best practices.
• Detective guardrails don’t block actions — instead, they raise alerts or compliance findings.

 Common Examples:

Guardrail	Description
Detect whether CloudTrail is enabled	Ensures CloudTrail is always recording API activity.
Detect whether GuardDuty is enabled	Monitors for missing or disabled threat detection.
Detect if root user has MFA enabled	Flags root accounts without multi-factor authentication.
Detect if S3 buckets have versioning enabled	Checks for data durability and recovery practices.

 Guardrail Categories by Scope (three enforcement scopes) and Description:

Scope	Description
Mandatory	Always enabled and cannot be removed. E.g., “Disallow changes to AWS Control Tower resources.”
Strongly Recommended	Key security and compliance best practices that AWS advises enabling.
Elective	Optional controls that enhance governance for specific use cases (e.g., stricter security posture).

 How Guardrails Work Under the Hood

 1. Preventive Guardrails (SCP Path)

1. Control Tower attaches a Service Control Policy to the OU.
2. SCP defines deny rules (e.g., disallow public S3 access).
3. Any AWS account or user within that OU inherits the policy automatically.
4. Attempted noncompliant actions are denied at the AWS Organizations level.

 2. Detective Guardrails (Config Path)

1. Control Tower deploys AWS Config Rules into each governed account.
2. These rules continuously scan for noncompliant resources.
3. Noncompliance is recorded in AWS Config and reported in the Control Tower Dashboard.
4. Notifications can be integrated with SNS, Security Hub, or CloudWatch for remediation workflows.

 Architecture Diagram and Guardrail Enforcement Flow

Guardrail Compliance & Drift Detection

• AWS Control Tower Dashboard shows compliance state by OU.
• Detects drift, i.e., when resources deviate from baseline configuration.
• Supports remediation via:
• Automatic remediation actions (e.g., Config remediation scripts)
• Manual intervention guided by compliance reports

Sample of “Disallow Public Access to S3 Buckets”

Preventive:

• SCP denies any attempt to set PublicRead or PublicReadWrite ACLs.

Detective:

• AWS Config rule checks all S3 buckets periodically.
• AWS Config rule Flags any existing public bucket and notifies twtech-admins.

Result

•  twtech can’t make bucket public, but if any bucket(s) drifts from legacy setup, it will get alerted.

 Guardrail Lifecycle

1. Enabled at OU level (via AWS Control Tower console)
2. Automatically deployed across accounts in the OU
3. Continuously monitored
4. Findings displayed in the Control Tower Dashboard
5. Drift managed via Control Tower’s drift detection service

 Monitoring Guardrails (Use cases):

• AWS Control Tower Dashboard – centralized compliance visibility
• AWS Config Aggregator – compliance overview across accounts
• AWS CloudWatch + SNS – notification of noncompliant events
• AWS Security Hub – integrated compliance and threat insights

Table for Benefits of Guardrails & Description

Benefit	Description
Automated Governance	Enforces policies across all accounts without manual intervention.
Scalable Compliance	Apply once at OU level, scale to dozens or hundreds of accounts.
Continuous Monitoring	Detective guardrails ensure ongoing compliance.
Central Visibility	Unified dashboard to track guardrail status and drift.
Alignment with Best Practices	Built on AWS Well-Architected and CIS benchmark principles.

 Limitations & Considerations

• Guardrails are only available for AWS Control Tower–managed OUs.
• Some advanced use cases require custom SCPs or Config Rules.
• Drift correction may require manual steps if customizations conflict with Control Tower baselines.
• Guardrail enforcement is region-specific.
• twtech must ensure Guardrail is enabled in all relevant regions.