This section addresses options and resources to enable your foundation team to define and efficiently roll out new and updated cloud resources or “baselines” across your AWS accounts to further secure the overall environment and deliver useful common capabilities to your internal teams.
The actual security and compliance controls and typical common foundation resources that would be handled by the baseline mechanism are covered in other sections. For example:
As the degree of customization and extent of your foundation resources expands over time, you’ll benefit for having an automated means to roll out and manage such resources. Additionally, you’ll benefit from using Infrastructure as Code (IaC) and other common practices to treat such resources as code that progresses through a modern development and testing workflow.
…
…
…position AWS Control Tower’s guardrails feature in this context…
See AWS Solutions Customizations for AWS Control Tower
AWS CloudFormation StackSets with AWS Organizations introduced the ability to automatically apply stacksets as member accounts join and leave OUs.
AWS Control Tower Lifecycle Event Notifications can help trigger automation to manage the lifecyle of baselines.