AWS Control Tower launches managed controls using declarative policies
Today, we are excited to announce the general availability of managed, preventive controls implemented using declarative policies in AWS Control Tower. These policies are a set of new optional controls that help you consistently enforce the desired configuration for a service. For example, customers can deploy a declarative, policy-based preventive control that disallows public sharing of HAQM Machine Images (AMIs). Declarative policies help you ensure that the controls configured are always enforced regardless of the introduction of new APIs, or when new principals or accounts are added.
Today, AWS Control Tower is releasing declarative, policy-based preventive controls for HAQM Elastic Compute Cloud (HAQM EC2) service, HAQM Virtual Private Cloud (HAQM VPC) and HAQM Elastic Block Store (HAQM EBS). These controls help you achieve control objectives such as limit network access, enforce least privilege, and manage vulnerabilities. AWS Control Tower’s new declarative policy-based preventive controls complement AWS Control Tower’s existing control capabilities, enabling you to disallow actions that lead to policy violations.
The combination of preventive, proactive, and detective controls helps you monitor whether your multi-account AWS environment is secure and managed in accordance with best practices. For a full list of AWS regions where AWS Control Tower is available, see AWS Region Table.