Cloud Governance: Achieving Compliance and Security through Comprehensive Controls Management

In my earlier blog on AWS Control Tower Security, I discussed implementing security measures in AWS Control Tower managed environment. One of the topics I covered was compliance validation. Building on that, in this blog I will deep dive into how AWS Control Tower provide compliance and governance at scale using Comprehensive Controls Management (CCM)

On Nov 28, 2022 AWS added a new feature in the AWS Control Tower toolkit, called Comprehensive Controls Management (CCM), which has significantly improved the governance capabilities of AWS Control Tower.  With Comprehensive Controls Management (CCM), you have the ability to apply managed preventative, detective, and proactive controls to accounts and organizational units (OUs) based on the service, control objective, or compliance framework you choose. The best part is that AWS Control Tower handles the mapping between these elements for you, saving you valuable time and effort.

Building, configuring, and deploying application workloads in a secure multi-account environment is a task in itself, the true challenge arises in guaranteeing that these workloads meet industry-standard compliance like PCI DSS, NSIT, and others. This challenge becomes even more daunting when faced with the responsibility of managing thousands of mission-critical application workloads in a multi-account environment. 

CCM provides you that confidence that the workloads you are running on AWS are compliant by providing continuous visibility. It undertakes the burden of Controls mapping with Control Objectives and Compliance framework. Which significantly reduce the time customers (like banks) take to start using any AWS service.

Let’s see how it work in real

Managing Controls Effectively with AWS Control Tower

In the AWS Control Tower console, the Control Library section is where the mapping of Controls (guardrails) to Control Objectives and Compliance frameworks is managed. The Control (guardrail) represents the fundamental and essential element of the Comprehensive Control Management (CCM). At the time of writing this blog AWS has provided us with 399 controls (also know as guardrails) available.

A control (also known as a guardrail) is a high-level rule that provides ongoing governance for your overall AWS environment. It’s expressed in plain language.

Controls are of three types,  preventive, detective and proactive and they are categorized as mandatory, strongly recommend, or elective.

Preventive controls are put in place to stop certain actions from happening. An example of this is the elective control called “Disallow Changes to Bucket Policy for Amazon S3 Buckets” (previously known as “Disallow Policy Changes to Log Archive”). It prevents any changes to the IAM policy within the log archive shared account. If someone tries to take a prohibited action, it will be denied and recorded in CloudTrail. The resource will also be logged in AWS Config.

Detective controls are designed to identify particular events as they happen and then record these actions in CloudTrail. As an example, there’s a highly recommended control named “Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances.” This control’s purpose is to identify if an EC2 instance within your landing zone has an unencrypted Amazon EBS volume attached to it.

Proactive controls are responsible for verifying if resources adhere to your company’s policies and objectives prior to provisioning them in your accounts. If the resources fail to meet compliance requirements, they will not be provisioned. These proactive controls continuously monitor the resources that would be deployed in your accounts using AWS CloudFormation templates.

An Example: New type of Proactive Control (also known as guardrail) implemented using AWS CloudFormation Hooks

In  AWS Control Tower Console, Controls are grouped by control objectives, AWS services, and frameworks. Categories are groups of AWS-managed controls that help you achieve compliance for your environment.

control objective is a target to be achieved, by means of implementing controls and configurations in your AWS Control Tower environment.

In other words, a control objective is a high-level, conceptual objective that usually requires a group of controls working together.

The controls library provides a set of predefined controls for common control objectives.

The Services category has sets of controls that help establish, monitor, and verify the effectiveness of an AWS service. AWS services manage these controls.

AWS experts define these controls and perform threat model assessments, to examine whether the APIs and resources meet the compliance and regulatory requirements for each service. Controls can be mapped to more than one services.

  • For controls associated with one service, the service name is displayed in the Service field.

  • For controls with an application or configuration that affects a larger group of services, the term Multiple is displayed as a service name. For example, the control Deny access to AWS based on the requested AWS Region is shown with the term Multiple as the service, because it affects many services in your AWS Control Tower environment.

Frameworks are sets of controls that adhere to industry-specific compliance requirements. AWS services manage these controls.

The controls in each framework are defined by AWS experts who adhere to the best practices procedures and guidelines for managing risk. They establish configurations that AWS Control Tower manages on your behalf.

When you navigate to the selected Control page, you will discover comprehensive details about the Control, such as its Name, the category of Control Objective it falls under, the associated Service and Framework it is mapped to, as well as the behavior of the control, which can be preventive, detective, or proactive in nature.

An Example : Proactive control type Implement using CloudFormation guard rule and Hooks

From this point, you have the option to enable this control for your accounts at the Organization Unit level.

Wrap Up!

In this blog , we discussed the new feature called Comprehensive Controls Management (CCM) complementing AWS Control Tower service ny enhancing its governance capabilities. With Comprehensive Controls Management, customers can apply managed preventative, detective, and proactive controls to accounts and organizational units, saving time and effort through automated control mapping. We also emphasized the challenges of ensuring industry-standard compliance for mission-critical application workloads in a multi-account environment. Comprehensive Controls Management (CCM) addresses these concerns by providing continuous visibility and control, boosting confidence in AWS workloads’ compliance.


In this video, I’ve showcased the deployment of predefined Controls in an AWS Control Tower managed multi-account environment. I demonstrate how effortlessly Control Tower identifies and notifies the creation of a non-compliant resource within one of the AWS accounts.

(Visited 137 times, 1 visits today)