Exception to controls for the Security OU - AWS Control Tower

Exception to controls for the Security OU

For customers on LZ v4.0:

There is no longer a Security OU managed by AWS Control Tower so restrictions below do not apply.

For existing customers on LZ v3.3 and below:

AWS Control Tower deploys and manages resources in the Security OU, which are required so that AWS Control Tower can function properly. You can deploy certain preventive controls (SCP-based) and detective controls (based on AWS Config rules) to this OU. Most controls cannot be enabled for this OU.

Controls that cannot be deployed to the Security OU

  • You cannot deploy proactive controls to the Security OU.

  • You cannot deploy Security Hub controls to the Security OU.

  • You cannot deploy RCP-based controls to the Security OU.

  • You cannot deploy declarative policies to the Security OU.

  • Certain SCP-based controls cannot be deployed to the Security OU.

Controls that are deployable to the Security OU

  • All controls implemented by AWS Config rules

  • AWS-GR_AUDIT_BUCKET_DELETION_PROHIBITED (Mandatory)

  • AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED

  • AWS-GR_AUDIT_BUCKET_LOGGING_ENABLED

  • AWS-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED (Mandatory)

  • AWS-GR_AUDIT_BUCKET_RETENTION_POLICY

  • AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED

  • AWS-GR_CLOUDTRAIL_CLOUDWATCH_LOGS_ENABLED

  • AWS-GR_CLOUDTRAIL_ENABLED

  • AWS-GR_CLOUDTRAIL_VALIDATION_ENABLED

  • AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED

  • AWS-GR_CONFIG_AGGREGATION_AUTHORIZATION_POLICY

  • AWS-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED

  • AWS-GR_CONFIG_CHANGE_PROHIBITED

  • AWS-GR_CONFIG_ENABLED

  • AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED

  • AWS-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED (Mandatory)

  • AWS-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED (Mandatory)

  • AWS-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED (Mandatory)

  • AWS-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED

  • AWS-GR_DISALLOW_CROSS_REGION_NETWORKING

  • AWS-GR_DISALLOW_VPC_INTERNET_ACCESS

  • AWS-GR_DISALLOW_VPN_CONNECTIONS

  • AWS-GR_IAM_ROLE_CHANGE_PROHIBITED

  • AWS-GR_LAMBDA_CHANGE_PROHIBITED

  • AWS-GR_LOG_GROUP_POLICY

  • AWS-GR_REGION_DENY

  • AWS-GR_RESTRICT_ROOT_USER

  • AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS

  • AWS-GR_RESTRICT_S3_CROSS_REGION_REPLICATION

  • AWS-GR_RESTRICT_S3_DELETE_WITHOUT_MFA

  • AWS-GR_SNS_CHANGE_PROHIBITED

  • AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED

  • CT.BACKUP.PV.1

  • CT.BACKUP.PV.2

  • CT.BACKUP.PV.3

  • CT.CLOUDFORMATION.PR.1

  • CT.IAM.PV.1

  • CT.S3.PV.1

  • CT.S3.PV.7

  • CT.S3.PV.8

  • CT.SNS.PV.1