Feature comparison with and without AWS Config integration

With Landing Zone 4.0, you can disable the AWS Config integration. The following table summarizes the AWS Control Tower features that are available with and without the AWS Config integration enabled on the landing zone.

Features	AWS Config Integration Enabled	AWS Config Integration Disabled
Preventive controls	✓	✓
Proactive controls	✓	✓
Region Deny control applied to OUs	✓	✓
Region Deny control applied to landing zone	✓
Detective controls	✓
Account Factory	✓	See alternative
Account Factory for Terraform (AFT)	✓
Account Factory Customizations (AFC)	✓
AWS Service Catalog integration with Account Factory	✓
Customizations for AWS Control Tower (CfCT)	✓
Baselines applied to OUs	✓
AWS CloudTrail integration and baselines	✓	✓
AWS Backup integration and baselines	✓
AWS IAM Identity Center integration and baselines	✓
AWS SNS integration for drift notifications	✓
Amazon EventBridge integration for drift notifications	✓	✓
Register OU	✓	See alternative

Alternatives

Account Factory

If you have the AWS Config integration disabled, you can enable auto-enrollment and use AWS Organizations to create and move accounts. The accounts will inherit the controls applied to the parent OU.

Register OU

If you have the AWS Config integration disabled, you can use AWS Organizations to create OUs. Then, enable controls through the Control Catalog page in the AWS Control Tower console, reset controls on the Organization page, or use AWS Control Tower APIs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config Updates

Recommendations for setting up groups, roles, and policies