# Digital sovereignty controls Digital sovereignty group *Digital sovereignty* means control over digital assets. AWS Control Tower offers a group of controls that are designed to enhance your digital sovereignty governance posture. The pillars of this posture are as follows: + *Data residency:* Control over the location of your data. For more information, see [Controls that enhance data residency protection](data-residency-controls.md). + *Granular access:* Access restrictions that limit all access to your data, unless the access is requested by you, or by a partner whom you trust. For more information, see [Region deny control applied to the OU](ou-region-deny.md). + *Encryption:* Features and controls that help you encrypt data, whether in transit, at rest, or in memory. For example, see the control [CT.APPSYNC.PR.5: Require an AWS AppSync GraphQL API cache to have encryption at rest enabled](https://docs.aws.amazon.com//controltower/latest/controlreference/appsync-rules.html#ct-appsync-pr-5-description). + *Resiliency:* Ability to sustain operations through disruption or disconnection, which is essential in the case of events such as supply chain disruption, network interruption, and natural disaster. For example see the control [CT.NETWORK-FIREWALL.PR.5: Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones](https://docs.aws.amazon.com//controltower/latest/controlreference/network-firewall-rules.html#network-firewall-pr-5-description). You can read more about digital sovereignty and AWS in the blog: [AWS Digital Sovereignty Pledge: Control without compromise.](https://aws.amazon.com//blogs/security/aws-digital-sovereignty-pledge-control-without-compromise/) **The Data residency subgroup** Although the digital sovereignty group is primarily a group of preventive controls, it includes *preventive* and *detective* controls in the **Data residency** subgroup. # Deny access to AWS based on the requested AWS Region Landing zone region deny *This control is commonly referred to as the Region deny control, or *landing zone* Region deny control.* This control disallows access to unlisted operations in global and regional services outside of the specified Regions. That includes all Regions where AWS Control Tower is not available, as well as all Regions not selected for governance in the **Landing zone settings** page. Actions are allowed as usual in Regions with **Governed** status. You may wish to review the information at [Configure the Region deny control](https://docs.aws.amazon.com//controltower/latest/userguide/region-deny.html) in the *AWS Control Tower User Guide* before you enable this control. **Note** Certain global AWS services, such as AWS Identity and Access Management (IAM) and AWS Organizations, are exempt from data residency controls. Those services are specified in the SCP example code that follows. This is an elective control with preventive guidance. It is the top-level control associated with the **Region deny** action. The format for this control is based on the following SCP. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "GRREGIONDENY", "Effect": "Deny", "NotAction": [ "a4b:*", "access-analyzer:*", "account:*", "acm:*", "activate:*", "artifact:*", "aws-marketplace-management:*", "aws-marketplace:*", "aws-portal:*", "billing:*", "billingconductor:*", "budgets:*", "ce:*", "chatbot:*", "chime:*", "cloudfront:*", "cloudtrail:LookupEvents", "compute-optimizer:*", "config:*", "consoleapp:*", "consolidatedbilling:*", "cur:*", "datapipeline:GetAccountLimits", "devicefarm:*", "directconnect:*", "ec2:DescribeRegions", "ec2:DescribeTransitGateways", "ec2:DescribeVpnGateways", "ecr-public:*", "fms:*", "freetier:*", "globalaccelerator:*", "health:*", "iam:*", "importexport:*", "invoicing:*", "iq:*", "kms:*", "license-manager:ListReceivedLicenses", "lightsail:Get*", "mobileanalytics:*", "networkmanager:*", "notifications-contacts:*", "notifications:*", "organizations:*", "payments:*", "pricing:*", "quicksight:DescribeAccountSubscription", "resource-explorer-2:*", "route53-recovery-cluster:*", "route53-recovery-control-config:*", "route53-recovery-readiness:*", "route53:*", "route53domains:*", "s3:CreateMultiRegionAccessPoint", "s3:DeleteMultiRegionAccessPoint", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccountPublicAccessBlock", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetStorageLensConfiguration", "s3:GetStorageLensDashboard", "s3:ListAllMyBuckets", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", "s3:PutAccountPublicAccessBlock", "s3:PutMultiRegionAccessPointPolicy", "savingsplans:*", "shield:*", "sso:*", "sts:*", "support:*", "supportapp:*", "supportplans:*", "sustainability:*", "tag:GetResources", "tax:*", "trustedadvisor:*", "vendor-insights:ListEntitledSecurityProfiles", "waf-regional:*", "waf:*", "wafv2:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [] }, "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/AWSControlTowerExecution" ] } } } ] } ``` ------ Based on this example SCP format, AWS Control Tower adds your governed Regions into the `aws:RequestedRegion` statement. You cannot exclude your home Region. Actions not listed in the SCP are not permitted. **Limitations** The OU Region deny control is subject to limitations of the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion) global condition key and [Service Control Policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in general. # Region deny control applied to the OU Region deny for OU *This control is commonly referred to as the OU Region deny control, or the configurable Region deny control.* This control disallows access to unlisted operations in global and regional AWS services, outside of the specified Regions for an organizational unit (OU). You can apply this control to any subset of the Regions that are governed by your AWS Control Tower landing zone. You may wish to review the information at [Configure the Region deny control](https://docs.aws.amazon.com//controltower/latest/userguide/region-deny.html) before you enable this control. **Warning** If you enforce this control, the configurations for the OU can conflict with the landing zone version of this control. For more information, see the section called "Policy evaluation of SCP controls" in this chapter, and [SCP evaluation](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html) in the AWS Organizations documentation. **CT.MULTISERVICE.PV.1**: Deny access to AWS based on the requested AWS Region for an organizational unit **Service: **Multiple AWS services + **Control objective: **Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Groups: **Digital sovereignty **Limitations** The OU Region deny control is subject to limitations of the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion) global condition key and [Service Control Policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in general. **Enable this control from the console** In the AWS Control Tower console, you can view the OUs on which this control is enabled, if any, by navigating to the **Control details** page for this control. **To enable this control from the **Control details** page** 1. Select **Enable control** in the upper right 1. Select the target OU, then select **Next** to continue. 1. Select the Regions you wish to activate. You must select at least one Region. 1. You can add **NotAction** elements, IAM principals, and tags. 1. You'll be able to see a summary of your selected values before you enable the control. 1. Select **Enable control** at the lower right. ## CT.MULTISERVICE.PV.1: Deny access to AWS based on the requested AWS Region for an organizational unit The OU Region deny control, **CT.MULTISERVICE.PV.1**, is configurable. You can select specific OUs to which it applies, rather than applying it to your entire AWS Control Tower landing zone. This control accepts one or more parameters, such as **AllowedRegions**, **ExemptedPrincipalARNs**, and **ExemptedActions**, which describe operations that are allowed for accounts that are part of this OU. + **AllowedRegions**: Specifies the Regions selected, in which the OU is allowed to operate. This parameter is **mandatory**. + **ExemptedPrincipalARNs**: Specifies the IAM principals that are exempt from this control, so that they are allowed to operate certain AWS services globally. + **ExemptedActions**: Specifies actions that are exempt from this control, so that the actions are allowed. Interactions between the separate Region deny controls for the landing zone and the OU can be complicated to predict. They are predictable with the logic by which SCPs are evaluated by AWS. **Policy evaluation of SCP controls** The policy evaluation process involves checking all applicable policies, starting from the most permissive and gradually moving towards the most restrictive. Any SCP applied at the Root level will impact all accounts and OUs, unless it is overridden by a more specific policy. **Evaluation Logic**: When a request is made to perform an action (for example, launching an Amazon EC2 instance), AWS evaluates policies to determine whether the action is allowed or denied. The evaluation logic follows these rules: + *Explicit Deny Overrides All:* If any policy explicitly denies the requested action, that denial takes precedence over all other policies. + *Explicit Allow Overrides Implicit Deny:* If a policy explicitly allows the action and no higher-level policy explicitly denies it, the action is allowed. + *Inherited Allow and No Explicit Deny:* If there is no explicit allow or deny at the requested level, AWS looks at higher-level policies. If there is an inherited allow and no explicit deny, the action is allowed. + *Explicit Deny at a Higher Level:* If there's an explicit deny in a higher-level policy, but no explicit allow or deny at the requested level, the action is denied. For more information about the evaluation logic, see [SCP evaluation](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_policies_scps_evaluation.html) in the AWS Organizations documentation. **Note** With this control, you can allow any AWS Region at the OU level, even if your landing zone does not govern that Region, by design. We recommend that you use caution when allowing Regions that your AWS Control Tower landing zone does not govern. ### CLI Example This example shows how to enable this control, with parameters, from the CLI. ``` aws controltower enable-control \ --target-identifier arn:aws:organizations::01234567890:ou/o-EXAMPLE/ou-zzxx-zzx0zzz2 \ --control-identifier arn:aws:controltower:us-east-1::control/EXAMPLE_NAME \ --parameters '[{"key":"AllowedRegions","value":["us-east-1","us-west-2"]},{"key":"ExemptedPrincipalArns","value":["arn:aws:iam::*:role/ReadOnly","arn:aws:sts::*:assumed-role/ReadOnly/*"]},{"key":"ExemptedActions","value":["logs:DescribeLogGroups","logs:StartQuery","logs:GetQueryResults"]}]' ``` **Validating parameters** When you enter a parameter into the OU Region deny control, AWS Control Tower validates the parameter's syntax and checks it against JSON datatypes. AWS Control Tower does not make semantic validations for domain-specific correctness. This is the same approach that is followed by AWS Organizations. Parameters for this control are entered by means of a JSON schema. Here is the SCP template of an example JSON schema for the OU-level Region deny control. In the AWS Control Tower console, you can view it on the **Artifacts** tab of the **Control details** page. This short example schema shows that the **AllowedRegions**, **ExemptedActions** and **ExemptedPrincipalArns** parameters accept a list of strings. Also, you can add descriptions to the schema, or restrict allowed values to be a subset of pre-defined values, using enumerated types (`enums`). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTMULTISERVICEPV1", "Effect": "Deny", "NotAction": [ {{ExemptedActions}} ... "s3:CreateMultiRegionAccessPoint", "s3:DeleteMultiRegionAccessPoint", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccountPublicAccessBlock", "s3:GetBucketLocation" ... ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": {{AllowedRegions}} }, "ArnNotLike": { "aws:PrincipalARN": [ "arn:aws:iam::*:role/AWSControlTowerExecution", {{ExemptedPrincipalARNs}} ] } } } ] } ``` The following example shows a full SCP artifact for the control. It shows the actions and principals that are exempted by default when you apply this control to an OU. Remember that **AllowedRegions** is a mandatory parameter for this control. You can view the most recent version of this SCP in the AWS Control Tower console. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTMULTISERVICEPV1", "Effect": "Deny", "NotAction": [ {{ExemptedActions}} "a4b:*", "access-analyzer:*", "account:*", "acm:*", "activate:*", "artifact:*", "aws-marketplace-management:*", "aws-marketplace:*", "aws-portal:*", "billing:*", "billingconductor:*", "budgets:*", "ce:*", "chatbot:*", "chime:*", "cloudfront:*", "cloudtrail:LookupEvents", "compute-optimizer:*", "config:*", "consoleapp:*", "consolidatedbilling:*", "cur:*", "datapipeline:GetAccountLimits", "devicefarm:*", "directconnect:*", "ec2:DescribeRegions", "ec2:DescribeTransitGateways", "ec2:DescribeVpnGateways", "ecr-public:*", "fms:*", "freetier:*", "globalaccelerator:*", "health:*", "iam:*", "importexport:*", "invoicing:*", "iq:*", "kms:*", "license-manager:ListReceivedLicenses", "lightsail:Get*", "mobileanalytics:*", "networkmanager:*", "notifications-contacts:*", "notifications:*", "organizations:*", "payments:*", "pricing:*", "quicksight:DescribeAccountSubscription", "resource-explorer-2:*", "route53-recovery-cluster:*", "route53-recovery-control-config:*", "route53-recovery-readiness:*", "route53:*", "route53domains:*", "s3:CreateMultiRegionAccessPoint", "s3:DeleteMultiRegionAccessPoint", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccountPublicAccessBlock", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetStorageLensConfiguration", "s3:GetStorageLensDashboard", "s3:ListAllMyBuckets", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", "s3:PutAccountPublicAccessBlock", "s3:PutMultiRegionAccessPointPolicy", "savingsplans:*", "shield:*", "sso:*", "sts:*", "support:*", "supportapp:*", "supportplans:*", "sustainability:*", "tag:GetResources", "tax:*", "trustedadvisor:*", "vendor-insights:ListEntitledSecurityProfiles", "waf-regional:*", "waf:*", "wafv2:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": {{AllowedRegions}} }, "ArnNotLike": { "aws:PrincipalARN": [ {{ExemptedPrincipalArns}} "arn:*:iam::*:role/AWSControlTowerExecution", "arn:*:iam::*:role/aws-controltower-ConfigRecorderRole", "arn:*:iam::*:role/aws-controltower-ForwardSnsNotificationRole", "arn:*:iam::*:role/AWSControlTower_VPCFlowLogsRole" ] } } } ] } ``` # Preventive controls that assist with digital sovereignty Digital sovereignty preventive controls These preventive controls are designed to assist you with your digital sovereignty governance posture. This group of controls helps you comply with digital sovereignty regulatory requirements because they prevent actions, enforce configurations, and detect resource changes that affect data residency, granular access restriction, encryption, and resilience capabilities. + These controls are configurable. For more information about configurable controls, see [Controls with parameters](control-parameter-concepts.md). + These are optional controls with Preventive guidance, implemented with AWS service control policies (SCPs). They are not deployed on any OU by default. You can enable them through the AWS Control Tower console, or through the AWS Control Tower [APIs](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html) In the AWS Control Tower console, you can view these controls together under the **Groups** tab on the **Categories** page. **Topics** + [ # [CT.APPSYNC.PV.1] Require an AWS AppSync GraphQL API to be configured with private visibility ](ct-appsync-pv-1.md) + [ # [CT.EC2.PV.1] Require an Amazon EBS snapshot to be created from an encrypted EC2 volume ](ct-ec2-pv-1.md) + [ # [CT.EC2.PV.2] Require that an attached Amazon EBS volume is configured to encrypt data at rest ](ct-ec2-pv-2.md) + [ # [CT.EC2.PV.3] Require that an Amazon EBS snapshot cannot be publicly restorable ](ct-ec2-pv-3.md) + [ # [CT.EC2.PV.4] Require that Amazon EBS direct APIs are not called ](ct-ec2-pv-4.md) + [ # [CT.EC2.PV.5] Disallow the use of Amazon EC2 VM import and export ](ct-ec2-pv-5.md) + [ # [CT.EC2.PV.6] Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions ](ct-ec2-pv-6.md) + [ # [CT.KMS.PV.1] Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services ](ct-kms-pv-1.md) + [ # [CT.KMS.PV.2] Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits ](ct-kms-pv-2.md) + [ # [CT.KMS.PV.3] Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled ](ct-kms-pv-3.md) + [ # [CT.KMS.PV.4] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM ](ct-kms-pv-4.md) + [ # [CT.KMS.PV.5] Require that an AWS KMS customer-managed key (CMK) is configured with imported key material ](ct-kms-pv-5.md) + [ # [CT.KMS.PV.6] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS) ](ct-kms-pv-6.md) + [ # [CT.LAMBDA.PV.1] Require an AWS Lambda function URL to use AWS IAM-based authentication ](ct-lambda-pv-1.md) + [ # [CT.LAMBDA.PV.2] Require an AWS Lambda function or AWS Lambda function URL to be configured for access only to principals within your AWS account ](ct-lambda-pv-2.md) # [CT.APPSYNC.PV.1] Require an AWS AppSync GraphQL API to be configured with private visibility CT.APPSYNC.PV.1 This control disallows creation of public AWS AppSync APIs by requiring APIs to be configured with private visibility. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS AppSync **Control metadata** + **Control objective: **Limit network access + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::AppSync::GraphQLApi` **Usage considerations** This control requires AppSync GraphQL APIs to be created with a private API configuration to ensure that the API is accessible only from a VPC. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTAPPSYNCPV1", "Effect": "Deny", "Action": "appsync:CreateGraphqlApi", "Resource": "*", "Condition": { "StringNotEquals": { "appsync:Visibility": "PRIVATE" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.1] Require an Amazon EBS snapshot to be created from an encrypted EC2 volume CT.EC2.PV.1 This control disallows creation of new snapshots that are based on unencrypted EBS volumes. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Encrypt data at rest + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** This control does not prevent creation of unencrypted EBS snapshots that are created by means of the `CopySnapshot` operation. AWS Control Tower recommends that you enable EBS encryption by default, so that encryption is applied to copies of unencrypted snapshots. See [Encryption scenarios](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-examples) in the *Amazon EC2 User Guide for Linux Instances* for more information. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV1", "Effect": "Deny", "Action": [ "ec2:CreateSnapshot", "ec2:CreateSnapshots" ], "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { "Bool": { "ec2:Encrypted": "false" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.2] Require that an attached Amazon EBS volume is configured to encrypt data at rest CT.EC2.PV.2 This control disallows attaching an unencrypted EBS volume to a running or stopped EC2 instance. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Encrypt data at rest + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::EC2::Volume` **Usage considerations** This control does not prevent replacing an EBS-backed root volume for a running instance with an unencrypted volume, by means of the `CreateReplaceRootVolumeTask` operation. AWS Control Tower recommends that you enable EBS encryption by default. For information about EBS encryption by default, see [Encryption by default](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default) in the *Amazon EC2 User Guide for Linux Instances*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV2", "Effect": "Deny", "Action": "ec2:AttachVolume", "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { "Bool": { "ec2:Encrypted": "false" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.3] Require that an Amazon EBS snapshot cannot be publicly restorable CT.EC2.PV.3 This control disallows sharing of an EBS snapshot with all AWS accounts. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** This control prevents unencrypted EBS snapshots from being made public, by disallowing sharing of EBS snapshots with all AWS accounts. Encrypted snapshots and snapshots with AWS Marketplace product codes cannot be made public. To prevent the public sharing of snapshots, AWS Control Tower recommends enabling block public access for snapshots. For more information, see [Block public access for snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-public-access-snapshots.html) in the *Amazon EC2 User Guide for Linux Instances*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV3", "Effect": "Deny", "Action": "ec2:ModifySnapshotAttribute", "Resource": "arn:*:ec2:*::snapshot/*", "Condition": { "StringEquals": { "ec2:Add/group": "all" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.4] Require that Amazon EBS direct APIs are not called CT.EC2.PV.4 This control disallows usage of all EBS direct APIs. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** Do not enable this control if you use EBS direct APIs, either directly or through an AWS Backup partner product. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV4", "Effect": "Deny", "Action": "ebs:*", "Resource": "*"{% if ExemptedPrincipalArns %}, "Condition": { "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} } }{% endif %} } ] } ``` # [CT.EC2.PV.5] Disallow the use of Amazon EC2 VM import and export CT.EC2.PV.5 This control disallows use of EC2 VM Import/Export APIs that can be used to import and export EC2 instance, snapshot, image and volume data. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege, Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** This control disallows the use of VM Import/Export APIs that can be used to import and export EC2 image, snapshot, instance and volume data. If you need to use VM Import/Export functionality, do not enable this control. This control does not prevent cancelling existing VM Import/Export import, export or conversion tasks. The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV5", "Effect": "Deny", "Action": [ "ec2:CreateInstanceExportTask", "ec2:ExportImage", "ec2:ImportImage", "ec2:ImportSnapshot", "ec2:ImportInstance", "ec2:ImportVolume" ], "Resource": "*"{% if ExemptedPrincipalArns %}, "Condition": { "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} } }{% endif %} } ] } ``` # [CT.EC2.PV.6] Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions CT.EC2.PV.6 This control disallows usage of EC2 `RequestSpotFleet` and `RequestSpotInstances` APIs, because they are legacy APIs with no planned investment. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege, Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::EC2::SpotFleet` **Usage considerations** This control denies `ec2:RequestSpotFleet` and `ec2:RequestSpotInstances` actions for all IAM principals. If you need to use these actions, do not enable this control. This control does not prevent cancelling or modifying an existing spot fleet or spot instance request. The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV6", "Effect": "Deny", "Action": [ "ec2:RequestSpotFleet", "ec2:RequestSpotInstances" ], "Resource": "*"{% if ExemptedPrincipalArns %}, "Condition": { "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} } }{% endif %} } ] } ``` # [CT.KMS.PV.1] Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services CT.KMS.PV.1 This control requires that KMS grants are issued only to AWS services that are integrated with AWS KMS, or to an AWS service principal. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control disallows the creation of AWS KMS grants for your KMS keys if the request does not originate from an AWS service that's integrated with AWS KMS, or from an AWS service principal. If you need to issue AWS KMS grants directly to your IAM principals for a customer-managed key, do not enable this control. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV1", "Effect": "Deny", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "BoolIfExists": { "kms:GrantIsForAWSResource": "false", "aws:PrincipalIsAWSService": "false" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.2] Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits CT.KMS.PV.2 This control disallows the creation of KMS keys used for encryption and decryption that also have a key spec of `RSA_2048`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control requires that you use a `KeySpec` other than `RSA_2048` when creating asymmetric KMS keys used for encryption and decryption. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV2", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringEquals": { "kms:KeyUsage": "ENCRYPT_DECRYPT", "kms:KeySpec": "RSA_2048" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.3] Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled CT.KMS.PV.3 This control disallows bypassing the KMS key policy lockout safety check when creating a KMS key or updating its key policy. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Enforce least privilege, Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control disallows bypassing the policy lockout safety check, because bypassing this check increases the risk that a KMS key becomes unmanageable. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV3", "Effect": "Deny", "Action": [ "kms:CreateKey", "kms:PutKeyPolicy" ], "Resource": "*", "Condition": { "Bool": { "kms:BypassPolicyLockoutSafetyCheck": "true" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.4] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM CT.KMS.PV.4 This control disallows creation of KMS keys that do not have a key origin of `AWS_CLOUDHSM`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control restricts creation of AWS KMS keys to those that use a specific key material origin. It is suitable when enforcing a KMS key management strategy that requires all KMS keys to an AWS CloudHSM based custom key store. Before enforcing the exclusive use of keys whose key material resides in an AWS CloudHSM cluster, carefully evaluate the trade-offs documented in the [AWS CloudHSM key stores](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) section of the *AWS KMS Developer Guide*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV4", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringNotEquals": { "kms:KeyOrigin": "AWS_CLOUDHSM" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.5] Require that an AWS KMS customer-managed key (CMK) is configured with imported key material CT.KMS.PV.5 This control disallows creation of KMS keys that do not have a key origin of `EXTERNAL`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control restricts creation of KMS keys to those that use a specific key material origin. It is suitable when enforcing a KMS key management strategy that requires all KMS keys to use imported key material. Before enforcing the exclusive use of keys with imported key material, carefully evaluate the trade-offs documented in the [Importing key material for AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) section of the *AWS KMS Developer Guide*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV5", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringNotEquals": { "kms:KeyOrigin": "EXTERNAL" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.6] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS) CT.KMS.PV.6 This control disallows creation of KMS keys that do not have a key origin of `EXTERNAL_KEY_STORE`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control restricts creation of AWS KMS keys to those that use a specific key material origin. It is suitable when enforcing a KMS key management strategy that requires all KMS keys to an external key store custom key store. Before enforcing the exclusive use of keys whose key material resides in an external key store, carefully evaluate the trade-offs documented in the [External key stores](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) section of the *AWS KMS Developer Guide*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV6", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringNotEquals": { "kms:KeyOrigin": "EXTERNAL_KEY_STORE" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.LAMBDA.PV.1] Require an AWS Lambda function URL to use AWS IAM-based authentication CT.LAMBDA.PV.1 Require an AWS Lambda function URL to restrict access to authenticated users by using `AWS_IAM` based authentication. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Lambda **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::Lambda::Url` **Usage considerations** This control disallows creation and update of AWS Lambda function URL configurations. It does not prevent deletion of Lambda function URL configurations. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTLAMBDAPV1", "Effect": "Deny", "Action": [ "lambda:CreateFunctionUrlConfig", "lambda:UpdateFunctionUrlConfig" ], "Resource": "arn:*:lambda:*:*:function:*", "Condition": { "StringNotEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.LAMBDA.PV.2] Require an AWS Lambda function or AWS Lambda function URL to be configured for access only to principals within your AWS account CT.LAMBDA.PV.2 This control requires an AWS Lambda function resource-based policy to grant access only to IAM principals that reside in your AWS account. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Lambda **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::Lambda::Url`, `AWS::Lambda::Function` **Usage considerations** This control limits cross-account access to AWS Lambda functions by restricting the allowed IAM principals in a Lambda function resource policy to those in the same account as the Lambda function. Allow listing AWS service principals is not supported by this control. Permissions to AWS Lambda functions and related URL(s) are governed by this control. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTLAMBDAPV2", "Effect": "Deny", "Action": "lambda:AddPermission", "Resource": "arn:*:lambda:*:*:function:*", "Condition": { "StringNotLike": { "lambda:Principal": [ "arn:*:iam::${aws:PrincipalAccount}:*", "${aws:PrincipalAccount}" ] }, "ArnNotLike": { "aws:PrincipalArn": [ {{ExemptedPrincipalArns}} "arn:*:iam::*:role/AWSControlTowerExecution" ] } } } ] } ``` # Controls that enhance data residency protection Data residency controls These elective controls complement your enterprise's data residency posture. By applying these controls together, you can set up your multi-account environment to help detect and inhibit the purposeful or accidental creation, sharing, or copying of data, outside of your selected AWS Region or Regions. These controls take effect at the OU level, and they apply to all member accounts within the OU. **Important** Certain global AWS services, such as AWS Identity and Access Management (IAM) and AWS Organizations, are exempt from these controls. You can identify the services that are exempt by reviewing the **Region deny SCP**, shown in the example code. Services with "\$1" after their identifier are exempt, because all actions are permitted when the "\$1" notation is given. This SCP essentially contains a list of explicitly permitted actions, and all other actions are denied. You cannot deny access to your home Region. ## Video: Enable data residency controls This video (5:58) describes how to enable data residency controls with AWS Control Tower controls. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available. **Note** AWS Control Tower no longer supports searching the controls list by *Category*, as shown in this video. To easily identify the Data Residency controls, we recommend you sort the controls list by *Release Date*. Controls with a release date of November 30, 2021 are the same controls in the Data Residency category shown in the video. This video includes the term *guardrail*, an older term AWS Control Tower used for *control*. We updated the term to better align with industry usage and other AWS services. These terms are synonymous for our purposes. [![AWS Videos](http://img.youtube.com/vi/k31cQVuRyJk/0.jpg)](http://www.youtube.com/watch?v=k31cQVuRyJk) **Topics** + [ ## Video: Enable data residency controls ](#video-walkthrough-data-residency) + [ # Data residency controls with preventive behavior ](data-residency-preventive-controls.md) + [ # Data residency controls with detective behavior ](data-residency-detective-controls.md) # Data residency controls with preventive behavior Data residency preventive The following data residency controls have preventive behavior. **Topics** + [ ## Disallow internet access for an Amazon VPC instance managed by a customer ](#disallow-vpc-internet-access) + [ ## Disallow Amazon Virtual Private Network (VPN) connections ](#prevent-vpn-connection) + [ ## Disallow cross-region networking for Amazon EC2, Amazon CloudFront, and AWS Global Accelerator ](#prevent-cross-region-networking) ## Disallow internet access for an Amazon VPC instance managed by a customer This control disallows internet access for an Amazon Virtual Private Cloud (VPC) instance managed by a customer, rather than by an AWS service. **Important** If you provision Account Factory accounts with VPC internet access settings enabled, that Account Factory setting overrides this control. To avoid enabling internet access for newly provisioned accounts, you must change the setting in Account Factory. For more information, see [Configure AWS Control Tower Without a VPC](https://docs.aws.amazon.com/controltower/latest/userguide/configure-without-vpc.html). + This control does not apply to VPCs managed by AWS services. + Existing VPCs that have internet access retain their internet access. It applies to new instances only. After this control is applied, access cannot be changed. This is a preventive control with elective guidance. By default, this control isn't enabled on any OUs. The artifact for this control is the following service control policy (SCP). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "GRDISALLOWVPCINTERNETACCESS", "Effect": "Deny", "Action": [ "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateDefaultVpc", "ec2:CreateDefaultSubnet", "ec2:CreateCarrierGateway" ], "Resource": [ "*" ], "Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/AWSControlTowerExecution" ] } } } ] } ``` ------ ## Disallow Amazon Virtual Private Network (VPN) connections This control prevents Virtual Private Network (VPN) connections (Site-to-Site VPN and Client VPN) to an Amazon Virtual Private Cloud (VPC). **Note** Existing VPCs that have internet access retain their internet access. This is a preventive control with elective guidance. By default, this control isn't enabled on any OUs. The artifact for this control is the following service control policy (SCP). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "GRDISALLOWVPNCONNECTIONS", "Effect": "Deny", "Action": [ "ec2:CreateVPNGateway", "ec2:AttachVPNGateway", "ec2:CreateCustomerGateway", "ec2:CreateVpnConnection", "ec2:ModifyVpnConnection", "ec2:CreateClientVpnEndpoint", "ec2:ModifyClientVpnEndpoint", "ec2:AssociateClientVpnTargetNetwork", "ec2:AuthorizeClientVpnIngress" ], "Resource": [ "*" ] } ] } ``` ------ ## Disallow cross-region networking for Amazon EC2, Amazon CloudFront, and AWS Global Accelerator This control prevents configuring cross-region networking connections from Amazon EC2, Amazon CloudFront, and AWS Global Accelerator services. It prevents VPC peering and transit gateway peering. **Note** This control prevents Amazon EC2 VPC peering and Amazon EC2 transit gateway peering within a single Region, as well as across Regions. For this reason, this control may affect certain workloads in addition to your data residency posture. This is a preventive control with elective guidance. By default, this control isn't enabled on any OUs. The artifact for this control is the following service control policy (SCP). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "GRDISALLOWCROSSREGIONNETWORKING", "Effect": "Deny", "Action": [ "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "ec2:CreateTransitGatewayPeeringAttachment", "ec2:AcceptTransitGatewayPeeringAttachment", "cloudfront:CreateDistribution", "cloudfront:UpdateDistribution", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": [ "*" ] } ] } ``` ------ # Data residency controls with detective behavior Data residency detective The following data residency controls have detective behavior. **Topics** + [ ## Detect whether public IP addresses for Amazon EC2 autoscaling are enabled through launch configurations ](#autoscaling-launch-config-public-ip-disabled) + [ ## Detect whether replication instances for AWS Database Migration Service are public ](#dms-replication-not-public) + [ ## Detect whether Amazon EBS snapshots are restorable by all AWS accounts ](#ebs-snapshot-public-restorable-check) + [ ## Detect whether any Amazon EC2 instance has an associated public IPv4 address ](#ec2-instance-no-public-ip) + [ ## Detect whether Amazon S3 settings to block public access are set as true for the account ](#s3-account-level-public-access-blocks-periodic) + [ ## Detects whether an Amazon EKS endpoint is blocked from public access ](#eks-endpoint-no-public-access) + [ ## Detect whether an Amazon OpenSearch Service domain is in Amazon VPC ](#elasticsearch-in-vpc-only) + [ ## Detect whether any Amazon EMR cluster master nodes have public IP addresses ](#emr-master-no-public-ip) + [ ## Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access ](#lambda-function-public-access-prohibited) + [ ## Detect whether public routes exist in the route table for an Internet Gateway (IGW) ](#no-unrestricted-route-to-igw) + [ ## Detect whether Amazon Redshift clusters are blocked from public access ](#redshift-cluster-public-access-check) + [ ## Detect whether an Amazon SageMaker notebook instance allows direct internet access ](#sagemaker-notebook-no-direct-internet-access) + [ ## Detect whether any Amazon VPC subnets are assigned a public IP address ](#subnet-auto-assign-public-ip-disabled) + [ ## Detect whether AWS Systems Manager documents owned by the account are public ](#ssm-document-not-public) ## Detect whether public IP addresses for Amazon EC2 autoscaling are enabled through launch configurations This control detects whether Amazon EC2 Auto Scaling groups have public IP addresses enabled through launch configurations. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the launch configuration for an autoscaling group sets the value of the field `AssociatePublicIpAddress` set as **True**. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether public IP addresses for Amazon EC2 Auto Scaling are enabled through launch configurations Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: AutoscalingLaunchConfigPublicIpDisabled: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether Amazon EC2 Auto Scaling groups have public IP addresses enabled through launch configurations. This rule is NON_COMPLIANT if the launch configuration for an Auto Scaling group has the value of the field AssociatePublicIpAddress set as True. Scope: ComplianceResourceTypes: - AWS::AutoScaling::LaunchConfiguration Source: Owner: AWS SourceIdentifier: AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED ``` ## Detect whether replication instances for AWS Database Migration Service are public This control detects whether AWS Database Migration Service replication instances are public. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the value of the `PubliclyAccessible` field is set as **True**. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether replication instances for AWS Database Migration Service are public Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: DmsReplicationNotPublic: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if the value of the PubliclyAccessible field is set as True. Source: Owner: AWS SourceIdentifier: DMS_REPLICATION_NOT_PUBLIC MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detect whether Amazon EBS snapshots are restorable by all AWS accounts This control detects whether all AWS accounts have access to restore Amazon EBS snapshots. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if any snapshots have the `RestorableByUserIds` field set to the value **All**. In that case, the Amazon EBS snapshots are public. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether Amazon EBS snapshots are restorable by all AWS accounts Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: EbsSnapshotPublicRestorableCheck: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether all AWS accounts have access to restore Amazon EBS snapshots. The rule is NON_COMPLIANT if any snapshots have the RestorableByUserIds field set to the value All. In that case, the Amazon EBS snapshots are public. Source: Owner: AWS SourceIdentifier: EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detect whether any Amazon EC2 instance has an associated public IPv4 address This control detects whether an Amazon Elastic Compute Cloud (Amazon EC2) instance has an associated public IPv4 address. This control applies only to IPv4 addresses. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the public IP field is present in the Amazon EC2 instance configuration item. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether any Amazon EC2 instance has an associated public IPv4 address Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: Ec2InstanceNoPublicIp: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether an Amazon Elastic Compute Cloud (Amazon EC2) instance has an associated public IPv4 address. The rule is NON_COMPLIANT if the public IP field is present in the Amazon EC2 instance configuration item. Scope: ComplianceResourceTypes: - AWS::EC2::Instance Source: Owner: AWS SourceIdentifier: EC2_INSTANCE_NO_PUBLIC_IP ``` ## Detect whether Amazon S3 settings to block public access are set as true for the account This control periodically detects whether the required Amazon S3 settings to block public access are configured as true for the account, rather than for a bucket or an access point. **In the console:** + The rule shows **Non-compliant** status if at least one of the settings is false. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to check whether Amazon S3 settings to block public access are set as true for the account. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' PublicAccessBlockSetting: Type: 'String' Default: 'True' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: CheckForS3PublicAccessBlock: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks the Amazon S3 settings to block public access are set as true for the account. The rule is non-compliant if at-least one of the settings is false. Source: Owner: AWS SourceIdentifier: S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC Scope: ComplianceResourceTypes: - AWS::S3::AccountPublicAccessBlock InputParameters: IgnorePublicAcls: !Ref PublicAccessBlockSetting BlockPublicPolicy: !Ref PublicAccessBlockSetting BlockPublicAcls: !Ref PublicAccessBlockSetting RestrictPublicBuckets: !Ref PublicAccessBlockSetting MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detects whether an Amazon EKS endpoint is blocked from public access This control detects whether an Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is blocked from public access. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the endpoint is publicly accessible. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether an Amazon EKS endpoint is blocked from public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: EKSEndpointNoPublicAccess: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether an Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible. Source: Owner: AWS SourceIdentifier: EKS_ENDPOINT_NO_PUBLIC_ACCESS MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detect whether an Amazon OpenSearch Service domain is in Amazon VPC This control detects whether an Amazon OpenSearch Service domain is in Amazon VPC. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the OpenSearch Service domain endpoint is public. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether an Amazon OpenSearch Service domain is in Amazon VPC Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: ElasticsearchInVpcOnly: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether Amazon OpenSearch Service domains are in Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if the OpenSearch Service domain endpoint is public. Source: Owner: AWS SourceIdentifier: ELASTICSEARCH_IN_VPC_ONLY MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detect whether any Amazon EMR cluster master nodes have public IP addresses This control detects whether any Amazon EMR cluster master nodes have public IP addresses. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs **In the console:** + The rule shows **Non-compliant** status if a master node has a public IP address. + This control checks clusters that are in RUNNING or WAITING state. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether any Amazon EMR cluster master nodes have public IP addresses Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: EmrMasterNoPublicIp: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether any Amazon Elastic MapReduce (EMR) cluster master nodes have public IP addresses. The rule is NON_COMPLIANT if a master node has a public IP. This control checks clusters that are in RUNNING or WAITING state. Source: Owner: AWS SourceIdentifier: EMR_MASTER_NO_PUBLIC_IP MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access This control detects whether the AWS Lambda function policy attached to the Lambda resource blocks public access. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the Lambda function policy allows public access. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: LambdaFunctionPublicAccessProhibited: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. The rule is NON_COMPLIANT if the Lambda function policy allows public access. Scope: ComplianceResourceTypes: - AWS::Lambda::Function Source: Owner: AWS SourceIdentifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED ``` ## Detect whether public routes exist in the route table for an Internet Gateway (IGW) This control detects whether public routes exist in the route table associated with an Internet Gateway (IGW). This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if a route has a destination CIDR block of `0.0.0.0/0` or `::/0` or if a destination CIDR block does not match the rule parameter. **Note** This control fails if any of the routes to an IGW has a destination CIDR block of `0.0.0.0/0` or `::/0`. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether public routes exist in the route table for an Internet Gateway (IGW) Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: NoUnrestrictedRouteToIgw: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether public routes exist in the route table associated with an Internet Gateway (IGW). The rule is NON_COMPLIANT if a route has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter. Scope: ComplianceResourceTypes: - AWS::EC2::RouteTable Source: Owner: AWS SourceIdentifier: NO_UNRESTRICTED_ROUTE_TO_IGW ``` ## Detect whether Amazon Redshift clusters are blocked from public access This control detects whether Amazon Redshift clusters are blocked from public access. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the `publiclyAccessible` field is set to **True** in the cluster configuration item. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether Amazon Redshift clusters are blocked from public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: RedshiftClusterPublicAccessCheck: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether Amazon Redshift clusters are blocked from public access. The rule is NON_COMPLIANT if the publiclyAccessible field is true in the cluster configuration item. Scope: ComplianceResourceTypes: - AWS::Redshift::Cluster Source: Owner: AWS SourceIdentifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK ``` ## Detect whether an Amazon SageMaker notebook instance allows direct internet access This control detects whether an Amazon SageMaker notebook instance allows direct internet access. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if Amazon SageMaker notebook instances allow direct internet access. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether an Amazon SageMaker notebook instance allows direct internet access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: SagemakerNotebookNoDirectInternetAccess: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether direct internet access is allowed for an Amazon SageMaker notebook instance. The rule is NON_COMPLIANT if Amazon SageMaker notebook instances allow direct internet access. Source: Owner: AWS SourceIdentifier: SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ``` ## Detect whether any Amazon VPC subnets are assigned a public IP address This control detects whether Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** + The rule shows **Non-compliant** status if the Amazon VPC has subnets that are assigned a public IP address. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Detect whether any Amazon VPC subnets are assigned a public IP address Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: SubnetAutoAssignPublicIpDisabled: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address. Scope: ComplianceResourceTypes: - AWS::EC2::Subnet Source: Owner: AWS SourceIdentifier: SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED ``` ## Detect whether AWS Systems Manager documents owned by the account are public This control detects whether AWS Systems Manager documents owned by the account are public. This is a detective control with elective guidance. By default, this control isn't enabled on any OUs. **In the console:** The rule shows **Non-compliant** status if any documents with owner 'Self' are public. The artifact for this control is the following AWS Config rule. ``` AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rule to detect whether AWS Systems Manager documents owned by the account are public Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency at which AWS Config will run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: SsmDocumentNotPublic: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether AWS Systems Manager (SSM) documents owned by the account are public. This rule is NON_COMPLIANT if any documents with owner 'Self' are public. Source: Owner: AWS SourceIdentifier: SSM_DOCUMENT_NOT_PUBLIC MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency ```