AWS Control Tower launches managed controls using declarative policies

Posted on: Dec 1, 2024

Today, we are excited to announce the general availability of managed, preventive controls implemented using declarative policies in AWS Control Tower. These policies are a set of new optional controls that help you consistently enforce the desired configuration for a service. For example, customers can deploy a declarative, policy-based preventive control that disallows public sharing of Amazon Machine Images (AMIs). Declarative policies help you ensure that the controls configured are always enforced regardless of the introduction of new APIs, or when new principals or accounts are added.

Today, AWS Control Tower is releasing declarative, policy-based preventive controls for Amazon Elastic Compute Cloud (Amazon EC2) service, Amazon Virtual Private Cloud (Amazon VPC) and Amazon Elastic Block Store (Amazon EBS). These controls help you achieve control objectives such as limit network access, enforce least privilege, and manage vulnerabilities. AWS Control Tower’s new declarative policy-based preventive controls complement AWS Control Tower’s existing control capabilities, enabling you to disallow actions that lead to policy violations.

The combination of preventive, proactive, and detective controls helps you monitor whether your multi-account AWS environment is secure and managed in accordance with best practices. For a full list of AWS regions where AWS Control Tower is available, see AWS Region Table.