controltower.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>AWS Control Tower Security | AWS Security Cards</title>
<meta name="description" content="AWS Control Tower orchestrates multi-account governance by deploying a landing zone with guardrails, Account Factory, and centralized logging.">
<style>
  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
  body {
    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;
    background: #0a0e1a;
    color: #e2e8f0;
    line-height: 1.6;
    padding: 2rem;
    max-width: 1200px;
    margin: 0 auto;
  }
  a { color: #22d3ee; text-decoration: none; }
  a:hover { text-decoration: underline; }

  /* Card Image */
  .card-image {
    border-radius: 1rem;
    overflow: hidden;
    margin-bottom: 2rem;
    border: 1px solid rgba(255,255,255,0.1);
  }
  .card-image img {
    width: 100%;
    height: auto;
    display: block;
  }

  /* Header */
  .header {
    position: relative;
    overflow: hidden;
    border-radius: 1rem;
    background: linear-gradient(135deg, #06b6d415, #0a0e1a, #0ea5e915);
    border: 1px solid #06b6d44d;
    padding: 2.5rem;
    margin-bottom: 2rem;
  }
  .header::before {
    content: '';
    position: absolute;
    top: 0; right: 0;
    width: 24rem; height: 24rem;
    background: #06b6d40d;
    border-radius: 50%;
    filter: blur(3rem);
  }
  .header-content { position: relative; display: flex; align-items: flex-start; gap: 1.5rem; }
  .header-icon { width: 64px; height: 64px; flex-shrink: 0; }
  .header-icon img { width: 100%; height: 100%; }
  .header-title { font-size: 1.875rem; font-weight: 700; color: #fff; }
  .header-badge {
    display: inline-block;
    padding: 0.25rem 0.75rem;
    background: #06b6d433;
    color: #06b6d4;
    font-size: 0.8rem;
    font-weight: 600;
    border-radius: 999px;
    border: 1px solid #06b6d44d;
    margin-left: 0.75rem;
    vertical-align: middle;
  }
  .header-desc { color: #94a3b8; max-width: 42rem; margin-top: 0.5rem; }

  /* Stats */
  .stats-row { display: grid; grid-template-columns: repeat(4, 1fr); gap: 1rem; margin-bottom: 2rem; }
  .stat-card {
    background: rgba(255,255,255,0.03);
    border-radius: 0.5rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 1rem;
    text-align: center;
  }
  .stat-value { font-size: 1.5rem; font-weight: 700; }
  .stat-label { font-size: 0.8rem; color: #94a3b8; }

  /* Sections */
  .section {
    background: rgba(255,255,255,0.03);
    border-radius: 0.75rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 1.5rem;
    margin-bottom: 1.5rem;
  }
  .section h2 {
    font-size: 1.25rem;
    font-weight: 700;
    color: #fff;
    margin-bottom: 1rem;
    display: flex;
    align-items: center;
    gap: 0.5rem;
  }

  /* Overview */
  .overview-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
  .overview-grid h4 { font-size: 0.9rem; font-weight: 600; margin-bottom: 0.5rem; }
  .overview-grid p { font-size: 0.875rem; color: #94a3b8; margin-bottom: 0.75rem; }
  .attack-note {
    background: rgba(0,0,0,0.3);
    border-radius: 0.5rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 0.75rem;
    font-size: 0.875rem;
    color: #cbd5e1;
  }

  /* Risk Gauge */
  .risk-gauge { display: flex; align-items: center; gap: 2rem; }
  .risk-bar-container { flex: 1; }
  .risk-bar {
    height: 1rem;
    background: #0f172a;
    border-radius: 999px;
    overflow: hidden;
  }
  .risk-bar-fill {
    height: 100%;
    border-radius: 999px;
    background: linear-gradient(90deg, #eab308, #f97316, #ef4444);
  }
  .risk-labels { display: flex; justify-content: space-between; font-size: 0.8rem; color: #94a3b8; margin-top: 0.5rem; }
  .risk-score { text-align: center; }
  .risk-score-value { font-size: 2.5rem; font-weight: 700; color: #f87171; }
  .risk-score-label { font-size: 0.8rem; color: #94a3b8; }
  .risk-desc { margin-top: 1rem; font-size: 0.875rem; color: #94a3b8; }

  /* Panels Grid */
  .panels-grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1.5rem; margin-bottom: 1.5rem; }
  @media (max-width: 1024px) { .panels-grid { grid-template-columns: repeat(2, 1fr); } }
  @media (max-width: 640px) { .panels-grid, .stats-row, .overview-grid { grid-template-columns: 1fr; } }
  .panel {
    background: rgba(255,255,255,0.03);
    border-radius: 0.75rem;
    border: 1px solid;
    padding: 1.5rem;
  }
  .panel h3 { font-size: 1.1rem; font-weight: 700; margin-bottom: 1rem; display: flex; align-items: center; gap: 0.5rem; }
  .panel h4 { font-size: 0.85rem; font-weight: 600; margin-bottom: 0.5rem; margin-top: 1rem; }
  .panel ul { list-style: none; padding: 0; }
  .panel li {
    font-size: 0.85rem;
    color: #cbd5e1;
    padding: 0.15rem 0;
    display: flex;
    align-items: flex-start;
    gap: 0.5rem;
  }
  .bullet { margin-top: 0.15rem; }
  .note {
    margin-top: 1rem;
    padding: 0.75rem;
    border-radius: 0.5rem;
    font-size: 0.85rem;
  }

  /* Commands */
  .cmd-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
  .cmd-block { margin-top: 0.75rem; }
  .cmd-title { font-size: 0.8rem; color: #94a3b8; margin-bottom: 0.25rem; }
  pre {
    background: rgba(0,0,0,0.5);
    border-radius: 0.5rem;
    padding: 0.75rem;
    font-size: 0.8rem;
    color: #4ade80;
    overflow-x: auto;
    border: 1px solid rgba(255,255,255,0.06);
    white-space: pre-wrap;
    word-break: break-all;
    font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
  }

  /* Policies */
  .policy-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
  .policy-card {
    border-radius: 0.5rem;
    border: 1px solid;
    padding: 1rem;
  }
  .policy-header { display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.75rem; font-size: 0.9rem; }
  .policy-card pre { margin-bottom: 0.75rem; color: #cbd5e1; }
  .policy-desc { font-size: 0.8rem; color: #94a3b8; }

  /* Defenses */
  .defense-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
  .defense-card {
    background: rgba(255,255,255,0.03);
    border-radius: 0.5rem;
    border: 1px solid rgba(255,255,255,0.06);
    padding: 1rem;
  }
  .defense-card:hover { border-color: #22d3ee4d; }
  .defense-header { display: flex; align-items: flex-start; gap: 0.75rem; }
  .defense-icon { font-size: 1.5rem; }
  .defense-card h4 { font-size: 0.9rem; font-weight: 600; color: #fff; margin-bottom: 0.25rem; }
  .defense-card p { font-size: 0.85rem; color: #94a3b8; margin-bottom: 0.5rem; }
  .defense-card pre { color: #22d3ee; }

  /* Footer */
  .footer { text-align: center; padding: 1.5rem 0; font-size: 0.8rem; color: #64748b; }
  .footer a { color: #22d3ee; }

  /* Prevent ugly page-break splits */
  .card-image,
  .header,
  .stat-card,
  .stats-row,
  .section,
  .panel,
  .cmd-block,
  .policy-card,
  .defense-card,
  .attack-note,
  .overview-grid > div,
  .risk-gauge,
  .note {
    break-inside: avoid;
    page-break-inside: avoid;
  }
  .section,
  .panels-grid,
  .card-image,
  .header {
    break-before: auto;
    page-break-before: auto;
  }
  /* Keep headings with their content */
  h2, h3, h4 {
    break-after: avoid;
    page-break-after: avoid;
  }

  @media print {
    body { background: #0a0e1a; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
    .panels-grid { grid-template-columns: repeat(2, 1fr); }
    .cmd-grid { grid-template-columns: 1fr; }
    .policy-grid { grid-template-columns: 1fr; }
    .defense-grid { grid-template-columns: 1fr; }
  }
</style>
</head>
<body>

<!-- Card Image -->
<div class="card-image">
  <img src="../images/controltower-card.webp" alt="AWS Control Tower Security" />
</div>

<!-- Header -->
<div class="header">
  <div class="header-content">
    <div class="header-icon"><img src="../icons/controltower.svg" alt="AWS Control Tower Security" /></div>
    <div>
      <div>
        <span class="header-title">AWS Control Tower Security</span>
        <span class="header-badge">MANAGEMENT</span>
      </div>
      <p class="header-desc">AWS Control Tower orchestrates multi-account governance by deploying a landing zone with guardrails (preventive, detective, proactive), Account Factory, and centralized logging. Compromising the management account or disabling controls grants unrestricted access across the entire organization.</p>
    </div>
  </div>
</div>

<!-- Stats -->
<div class="stats-row">
        <div class="stat-card">
          <div class="stat-value" style="color: #f87171;">CRITICAL</div>
          <div class="stat-label">Risk Level</div>
        </div>
        <div class="stat-card">
          <div class="stat-value" style="color: #4ade80;">Prev/Det/Pro</div>
          <div class="stat-label">Control Types</div>
        </div>
        <div class="stat-card">
          <div class="stat-value" style="color: #60a5fa;">Landing Zone</div>
          <div class="stat-label">Governance</div>
        </div>
        <div class="stat-card">
          <div class="stat-value" style="color: #c084fc;">Mgmt Account</div>
          <div class="stat-label">Top Target</div>
        </div></div>

<!-- Overview -->
<div class="section"><h2><span style="color:#06b6d4;">&#x1F4CB;</span> Service Overview</h2><div class="overview-grid">
        <div>
          <h4 style="color: #06b6d4;">Landing Zone &amp; Controls</h4>
          <p>Pre-configured secure multi-account environment. Preventive controls (SCPs), detective controls (Config rules), and proactive controls (CloudFormation Hooks). Mandatory controls cannot be disabled.</p>
          <div class="attack-note"><span style="color:#06b6d4;">Attack note:</span> The management account is exempt from all preventive controls (SCPs). Any identity in this account can bypass every guardrail.</div>
        </div>
        <div>
          <h4 style="color: #06b6d4;">Account Factory &amp; Key Roles</h4>
          <p>Standardized account provisioning via Service Catalog. Creates AWSControlTowerExecution role in every member account with AdministratorAccess, trusting the management account root.</p>
          <div class="attack-note"><span style="color:#06b6d4;">Attack note:</span> AWSControlTowerExecution in every member account has AdministratorAccess and trusts the management account root with no conditions by default.</div>
        </div></div></div>

<!-- Risk Assessment -->
<div class="section">
  <h2>Security Risk Assessment</h2>
  <div class="risk-gauge">
    <div class="risk-bar-container">
      <div class="risk-bar">
        <div class="risk-bar-fill" style="width: 95%;"></div>
      </div>
      <div class="risk-labels"><span>Low</span><span>Medium</span><span>High</span><span>Critical</span></div>
    </div>
    <div class="risk-score">
      <div class="risk-score-value">9.5</div>
      <div class="risk-score-label">Risk Score</div>
    </div>
  </div>
  <p class="risk-desc">Compromise of the management account means full admin access to every enrolled member account via AWSControlTowerExecution. Disabling controls removes guardrails organization-wide. Drift introduced by an attacker can disable security detection without obvious alerts.</p>
</div>

<!-- Main Panels -->
<div class="panels-grid">
      <div class="panel" style="border-color: #f8717133;">
        <h3 style="color: #f87171;">&#x2694;&#xFE0F; Attack Vectors</h3><h4 style="color: #f87171;">Management Account Compromise</h4><ul><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Assume AWSControlTowerExecution in any member account</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Exploit weakly-scoped IAM policies for role assumption</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Compromise AWSControlTowerAdmin role</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Target Account Factory / AFT pipeline credentials</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Social-engineer org administrators</li></ul><h4 style="color: #f87171;">Control &amp; Landing Zone Manipulation</h4><ul><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Disable preventive controls (SCPs) on OUs</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Disable detective controls to stop compliance monitoring</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Introduce landing zone drift by modifying SCPs</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Delete/modify AWSControlTowerCloudTrailRole</li><li><span class="bullet" style="color: #f87171;">&#x2022;</span> Abuse delegated administrator privileges</li></ul></div>
      <div class="panel" style="border-color: #fb923c33;">
        <h3 style="color: #fb923c;">&#x26A0;&#xFE0F; Misconfigurations</h3><h4 style="color: #fb923c;">Dangerous Defaults</h4><ul><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> AWSControlTowerExecution trusts mgmt account root with no conditions</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> No Permissions Boundaries on management account identities</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Only mandatory controls enabled</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Account Factory provisions without additional SCPs</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Audit account Lambda roles have cross-account admin</li></ul><h4 style="color: #fb923c;">Governance Gaps</h4><ul><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> No alerting for control disable/enable operations</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Landing zone drift not monitored</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> AFT pipeline credentials stored without rotation</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> No SCP protecting Control Tower roles in member accounts</li><li><span class="bullet" style="color: #fb923c;">&#x2022;</span> Management account used for daily workloads</li></ul></div>
      <div class="panel" style="border-color: #22d3ee33;">
        <h3 style="color: #22d3ee;">&#x1F50D; Enumeration</h3><div class="cmd-block">
          <div class="cmd-title">List Landing Zones</div>
          <pre><code>aws controltower list-landing-zones</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List Enabled Controls on an OU</div>
          <pre><code>aws controltower list-enabled-controls \
  --target-identifier arn:aws:organizations::123456789012:ou/o-abc/ou-abc-xyz</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List Drifted Controls</div>
          <pre><code>aws controltower list-enabled-controls \
  --target-identifier OU_ARN \
  --filter '{"driftStatuses":["DRIFTED"]}'</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List All Baselines</div>
          <pre><code>aws controltower list-baselines</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List Organization Accounts</div>
          <pre><code>aws organizations list-accounts \
  --query 'Accounts[*].[Id,Name,Status]' --output table</code></pre>
        </div></div>
      <div class="panel" style="border-color: #c084fc33;">
        <h3 style="color: #c084fc;">&#x1F4C8; Privilege Escalation</h3><h4 style="color: #c084fc;">From Member to Full Org Access</h4><ul><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Assume AWSControlTowerExecution in any member account</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Audit account role chain to AdministratorExecutionRole</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Register compromised account as delegated admin</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Exploit management account identity with sts:AssumeRole *</li></ul><h4 style="color: #c084fc;">From Management Account</h4><ul><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Disable preventive controls to remove SCP restrictions</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Disable detective controls to blind compliance</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Modify landing zone manifest to weaken security</li><li><span class="bullet" style="color: #c084fc;">&#x2022;</span> Create new accounts with attacker-controlled settings</li></ul><div class="note"><strong>Key insight:</strong> AWSControlTowerExecution has AdministratorAccess in every member account. A single sts:AssumeRole with Resource: * in the management account is enough to pivot to all accounts.</div></div>
      <div class="panel" style="border-color: #facc1533;">
        <h3 style="color: #facc15;">&#x1F517; Persistence</h3><h4 style="color: #facc15;">Maintaining Access</h4><ul><li><span class="bullet" style="color: #facc15;">&#x2022;</span> AWSControlTowerExecution role persists across account lifecycle</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Add conditions bypass in member account trust policies</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Create accounts via Account Factory with backdoor settings</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Register as delegated administrator for sensitive services</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Store AFT pipeline credentials for future access</li></ul><h4 style="color: #facc15;">Evading Detection</h4><ul><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Introduce drift that disables detective controls</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Modify CloudTrail role to disrupt centralized logging</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Move accounts between OUs to bypass controls</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Disable auto-enrollment for new accounts</li><li><span class="bullet" style="color: #facc15;">&#x2022;</span> Use management account (exempt from SCPs)</li></ul></div>
      <div class="panel" style="border-color: #4ade8033;">
        <h3 style="color: #4ade80;">&#x1F6E1;&#xFE0F; Detection</h3><h4 style="color: #4ade80;">Critical CloudTrail Events</h4><ul><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> DisableControl / EnableControl - control changes</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> UpdateLandingZone / ResetLandingZone - LZ modifications</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> AssumeRole on AWSControlTowerExecution</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> CreateManagedAccount - new account creation</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> DisableBaseline - baseline removal</li></ul><h4 style="color: #4ade80;">Drift Indicators</h4><ul><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> SCP modifications outside Control Tower</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Accounts moved between OUs manually</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Control Tower roles modified in member accounts</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> Landing zone status showing DRIFTED</li><li><span class="bullet" style="color: #4ade80;">&#x2022;</span> CloudTrail configuration changes</li></ul></div></div>

<!-- Exploitation -->
<div class="section"><h2><span style="color:#f87171;">&#x1F4BB;</span> Exploitation Commands</h2><div class="cmd-grid"><div class="cmd-block">
          <div class="cmd-title">Assume AWSControlTowerExecution</div>
          <pre><code>aws sts assume-role \
  --role-arn arn:aws:iam::MEMBER_ACCOUNT_ID:role/AWSControlTowerExecution \
  --role-session-name ct-pivot</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">Disable a Control on an OU</div>
          <pre><code>aws controltower disable-control \
  --control-identifier arn:aws:controltower:us-east-1::control/CONTROL_ID \
  --target-identifier OU_ARN</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">List SCPs on an OU</div>
          <pre><code>aws organizations list-policies-for-target \
  --target-id ou-xxxx-xxxxxxxx \
  --filter SERVICE_CONTROL_POLICY</code></pre>
        </div><div class="cmd-block">
          <div class="cmd-title">Get Landing Zone Drift Status</div>
          <pre><code>aws controltower get-landing-zone \
  --landing-zone-identifier LZ_ARN</code></pre>
        </div></div></div>

<!-- Policies -->
<div class="section"><h2><span style="color:#4ade80;">&#x1F4DC;</span> Policy Examples</h2><div class="policy-grid"><div class="policy-card" style="border-color: #ef444433; background: rgba(239,68,68,0.05);">
          <div class="policy-header">
            <span style="color: #f87171; font-size: 1.2em;">&#x2717;</span>
            <span style="color: #f87171; font-weight: 600;">Dangerous - Wildcard AssumeRole in Mgmt Account</span>
          </div>
          <pre><code>{
  &quot;Effect&quot;: &quot;Allow&quot;,
  &quot;Action&quot;: &quot;sts:AssumeRole&quot;,
  &quot;Resource&quot;: &quot;*&quot;
}</code></pre>
          <p class="policy-desc">Allows assumption of AWSControlTowerExecution in every member account -- full org compromise</p>
        </div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
          <div class="policy-header">
            <span style="color: #4ade80; font-size: 1.2em;">&#x2713;</span>
            <span style="color: #4ade80; font-weight: 600;">Secure - Permissions Boundary Blocking CT Role</span>
          </div>
          <pre><code>{
  &quot;Effect&quot;: &quot;Deny&quot;,
  &quot;Action&quot;: &quot;sts:AssumeRole&quot;,
  &quot;Resource&quot;: &quot;arn:aws:iam::*:role/AWSControlTowerExecution&quot;
}</code></pre>
          <p class="policy-desc">Applied as Permissions Boundary to block unauthorized pivoting to member accounts</p>
        </div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
          <div class="policy-header">
            <span style="color: #4ade80; font-size: 1.2em;">&#x2713;</span>
            <span style="color: #4ade80; font-weight: 600;">Secure - SCP Protecting CT Roles</span>
          </div>
          <pre><code>{
  &quot;Effect&quot;: &quot;Deny&quot;,
  &quot;Action&quot;: [&quot;iam:DeleteRole&quot;, &quot;iam:PutRolePolicy&quot;, &quot;iam:UpdateAssumeRolePolicy&quot;],
  &quot;Resource&quot;: [&quot;arn:aws:iam::*:role/AWSControlTowerExecution&quot;, &quot;arn:aws:iam::*:role/aws-controltower-*&quot;]
}</code></pre>
          <p class="policy-desc">Prevents member account identities from modifying or deleting Control Tower roles</p>
        </div></div></div>

<!-- Defenses -->
<div class="section"><h2><span style="color:#4ade80;">&#x1F6E1;&#xFE0F;</span> Defense Recommendations</h2><div class="defense-grid"><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F3E2;</span>
            <div>
              <h4>Isolate the Management Account</h4>
              <p>Run zero production workloads. Restrict to Control Tower administration, Organizations management, and billing only.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F6E1;&#xFE0F;</span>
            <div>
              <h4>Apply Permissions Boundaries</h4>
              <p>Deny sts:AssumeRole against AWSControlTowerExecution on all management account identities.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F512;</span>
            <div>
              <h4>Add Conditions to CT Execution Trust</h4>
              <p>Modify trust policy on AWSControlTowerExecution in member accounts to require principal tags or IP ranges.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x2705;</span>
            <div>
              <h4>Enable All Strongly Recommended Controls</h4>
              <p>Do not rely only on mandatory controls. Enable all strongly recommended preventive and detective controls.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F514;</span>
            <div>
              <h4>Monitor Control Tower API Calls</h4>
              <p>Alert on DisableControl, EnableControl, UpdateLandingZone, and AWSControlTowerExecution role assumptions.</p>
            </div>
          </div>
        </div><div class="defense-card">
          <div class="defense-header">
            <span class="defense-icon">&#x1F6AB;</span>
            <div>
              <h4>Protect CT Roles via SCP</h4>
              <p>Deploy SCP denying modification/deletion of AWSControlTowerExecution and aws-controltower-* roles by member accounts.</p>
            </div>
          </div>
        </div></div></div>

<!-- Footer -->
<div class="footer">
  <p>AWS Control Tower Security Security Card</p>
  <p style="margin-top:0.25rem;">Always obtain proper authorization before testing</p>
</div>

</body>
</html>