Centralized Management of Proactive Controls in AWS Control Tower for SOC 2 Certification

1

I have been working with AWS Control Tower and am interested in managing proactive controls for my multiple AWS accounts as part of our SOC 2 certification efforts. While exploring CloudFormation hooks for governance, I found them unsuitable for my needs.

I am looking for a centralized configuration tool or solution to enable proactive controls across all my accounts. Additionally, I would like a template that ensures these proactive controls, such as managing S3 bucket public access, EFS encryption, IAM policies for users, and two-factor authentication setup, are automatically enabled when creating new accounts under AWS Control Tower.

What are the best practices, tools, or approaches available to achieve this centralized management? Any insights or recommendations would be greatly appreciated!

1 Answer
1

I explained all 3 types of controls (Detective, Preventive and Proactive) in my blog post here https://medium.com/@oleksii.bebych/control-tower-guardrails-overview-preventive-detective-and-proactive-d99d847b811d

Proactive controls check resources whenever those resources are created or updated by means of AWS CloudFormation stack operations.

So they make sense only if you are actively using CloudFormation as IaC tool

When you enable a Control for an Organizational Unit, it will be automatically enabled for a new AWS account within this OU

profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions