Drift prevention and notification
You can enable certain controls and subscribe to certain SNS notifications that help you maintain compliance in AWS Control Tower.
Note
AWS Control Tower will no longer be sending drift notifications to SNS topic for all customers on LZ4.0+. For customers on LZ4.0+ follow the EventBridge Notification setup.
Drift monitoring protection
AWS Control Tower provides passive and active methods of drift monitoring protection for preventive controls.
-
Passive protection: AWS Organizations monitors and logs preventive control (SCP) drift.
-
Active protection: The AWS Control Tower drift monitoring service actively scans the preventive control SCPs, on a regular basis.
AWS Control Tower notifies you by means of SNS messaging, if drift is detected.
Drift prevention
Some controls prevent modification of compliance reporting mechanisms.
-
Disallow Changes to AWS Config Rules Set Up by AWS Control Tower (Mandatory, preventive control)
-
Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower (Mandatory, preventive control)
-
Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources (Mandatory, preventive control)
-
Disallow Configuration Changes to AWS Config (Mandatory, preventive control)
In contrast to preventive controls, detective controls notify you of resources that violate the associated AWS Config rule.
To receive SNS notifications about drift and control compliance
For information about how to receive appropriate drift and control compliance notifications by Amazon SNS, see Compliance notifications by SNS in the audit account.
Publishers and subscribers for SNS topics
The aws-controltower-AllConfigNotifications topic:
-
The
AWS::Config::DeliveryChannelresource is configured to send notifications about configuration changes to this topic. -
The possible types of notifications that AWS Config can send are defined in the Amazon SNS Topic section of the AWS Config documentation.
-
The
AWS::CloudTrail::Trailresource is configured to send notifications of log file delivery to this topic. -
You may subscribe to this topic.
The aws-controltower-SecurityNotifications topic:
-
The
AWS::Events::Ruleresource is configured to send notifications about AWS Config Rule compliance changes (one of the SNS notification types) to this topic. -
The
aws-controltower-NotificationForwarderLambda function is subscribed to this topic, and it forwards the SNS notifications to theaws-controltower-AggregateSecurityNotificationstopic.
The aws-controltower-AggregateSecurityNotifications
topic:
-
This topic receives notifications from
aws-controltower-SecurityNotifications, forwarded by the Lambda function. -
It also receives drift notifications in the home Region.
-
When AWS Control Tower creates the topic, a subscription is added for the audit account email address, and you must confirm the subscription.
Note
The endpoint, such as an email address, must confirm each subscription, SNS doesn’t send messages to an endpoint until the subscription is confirmed.
