AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Building a CPS 234-Compliant Landing Zone with Control Tower

2026-06-14 3 min read

Most AWS landing-zone templates are generic CIS baselines. None speak APRA out of the box. For a regulated entity, that means weeks of stitching guardrails together by hand after the accounts already exist — exactly backwards. CPS 234 controls should be baked in from account zero, enforced as code.

Here's the approach: a security baseline (the controls) + preventative guardrails (so they can't be switched off), structured as Terraform.

Practitioner guidance. Validate terraform plan in your own environment before applying.

Two layers

1. Security baseline (the controls) — applied per account/region:

  • Encrypted, validated audit trail: a multi-region CloudTrail with log-file validation and its own KMS key + a locked-down log bucket (versioned, public-access-blocked, TLS-only policy).
  • Account-level guardrails: S3 Block Public Access on, EBS default encryption on, a CPS 234 password policy (length ≥14, complexity, reuse prevention, rotation).
  • Detective controls: GuardDuty + Security Hub enabled.

2. Preventative guardrails (so the baseline can't be undone) — a Service Control Policy attached to the OU/root:

  • Deny cloudtrail:StopLogging / DeleteTrail, config:Stop*, guardduty:DeleteDetector, securityhub:DisableSecurityHub — the security services can't be turned off.
  • Deny ec2:DisableEbsEncryptionByDefault and removing account public-access blocks.
  • Deny organizations:LeaveOrganization and root-user actions.

The baseline sets up the controls; the SCP makes them non-bypassable by member accounts. That distinction is what turns "we configured it" into "it can't be misconfigured."

Why Control Tower / Organizations

CPS 234 expects controls commensurate with the criticality of assets across the estate — which means multi-account, with a security/audit OU separate from workloads. Control Tower (or AFT) gives you the account factory; the SCP gives you the enforcement layer that a single-account setup can't. The landing zone is where "least privilege that survives an audit" actually lives, because the SCP survives even when an individual account's IAM drifts.

The shape (Terraform)

modules/
  security-baseline/    # CloudTrail+KMS+bucket, GuardDuty, Security Hub,
                        # account public-access block, EBS default encryption,
                        # CPS 234 password policy
  cps234-guardrails/    # the preventative SCP (deny disabling the above)
examples/
  single-account/       # apply the baseline to one account

Apply the baseline to an account, attach the guardrail SCP at the OU — and new accounts inherit a CPS 234 floor the moment they're created.

How it fits the bigger picture

The landing zone is the preventative half. Pair it with the detective half — a Prowler CPS 234 framework or an AWS Config conformance pack — and you can both prevent drift (SCP) and prove the posture continuously (scan/Config). Prevention + evidence is what a CPS 234 review actually runs on.

Building APRA-aligned AWS foundations and tooling in the open at aiopsone.com.

Primary sources: AWS Control Tower · AWS Config conformance packs · APRA CPS 234

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts