The Campus Cloud uses the AWS Control Tower Service as the primary tool for creating, maintaining, and implementing policies and controls in AWS. Guardrails are the high-level rules that help define AWS policy.

Guardrails are categorized according to their behavior and their guidance. The behavior of each guardrail is either preventive or detective. Guardrail guidance refers to the recommended practice for how to apply each guardrail to your OUs. The guidance of a guardrail is independent of whether its behavior is preventive or detective.

See AWS Documentation for a complete Guardrail Reference

AWS Active Guardrails as of Feb 9, 2023 (rel of CT v3.1)

Mandatory Guardrails are enabled by default when you set up Control Tower Landing Zone and can’t be disabled. AWS Maintains the list of Mandatory Guardrails.

Strongly Recommended Guardrails that have been enabled:

• Disallow Creation of Access Keys for the Root User September 5, 2019

• Detect whether encryption is enabled for Amazon EBS volumes attached to Amazon EC2 instances (Previously Enable Encryption for Amazon EBS Volumes Attached to Amazon EC2 Instances) August 25, 2019 (name updated) √

• Disallow Internet Connection Through RDP

• Detect whether unrestricted internet connection through SSH is allowed (Previously Disallow Internet Connection Through SSH) June 24, 2019

• Detect whether MFA for the root user is enabled (Previously Enable MFA for the Root User) June 24, 2019

• Detect whether public access to Amazon RDS database snapshots is enabled (Previously Disallow Public Access to Amazon RDS Database Snapshots) August 25, 2019

• Detect whether storage encryption is enabled for Amazon RDS database instances (Previously Disallow Amazon RDS Database Instances That Are Not Storage Encrypted) August 25, 2019

• Detect whether unrestricted incoming TCP traffic is allowed November 15, 2018

• Detect whether public write access to Amazon S3 buckets is allowed November 15, 2018

Elective Guardrails that have been enabled:

• Detect whether replication instances for AWS Database Migration Service are public November 30, 2021

• Detect whether Amazon EBS snapshots are restorable by all AWS accounts November 30 December 1, 2021

• Detect whether any Amazon EMR cluster master nodes have public IP addresses November 30, 2021

• Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access November 30, 2021

• Detect whether public routes exist in the route table for an Internet Gateway (IGW) November 30, 2021 (Currently being re-evaluated in DEV)

• Detect whether Amazon Redshift clusters are blocked from public access November 30, 2021

• Deny access to AWS based on the requested AWS Region November 30, 2021 July 26, 2022 (Currently being re-evaluated in DEV)

• Detect whether Amazon S3 settings to block public access are set as true for the account November 30, 2021

• Detect whether AWS Systems Manager documents owned by the account are public November 30, 2021

• Detect whether MFA is enabled for AWS IAM users of the Console (Previously Disallow Console Access to IAM Users Without MFA) August 25 July 30, 2019