Control Tower Isn't Enough: Uncovering AWS Threat Detection Gaps with A13E
aws cloudsecurity threatdetection mitreattack controltower security governance a13e
Why AWS Control Tower Isn’t Enough: The Case for Threat Detection Coverage
Following a recent conversation with a colleague about cloud security tooling, I wanted to share some thoughts on the complementary relationship between AWS Control Tower and the A13E detection coverage validator.
The Core Distinction
| Aspect | AWS Control Tower | A13E DCV |
|---|---|---|
| Primary Focus | Governance and Compliance | Threat Detection Coverage |
| Question Answered | “Are my controls configured correctly?” | “What attacks can’t I detect?” |
| Framework | AWS Best Practices, CIS, PCI | MITRE ATT&CK |
| Perspective | Preventive/Compliance | Detective/Threat-Centric |
What Control Tower Actually Provides
AWS Control Tower offers over 350 controls (sometimes called guardrails) to help govern your AWS environment:
Control Types:
Preventive (SCPs): Block actions before they happen
Detective (Config Rules): Check configuration compliance
Proactive (CloudFormation hooks): Validate before deployment
Coverage Areas:
IAM configuration
S3 bucket policies
Encryption settings
Logging enablement
Network configuration
Account governance
The Gap Control Tower Doesn’t Address
1. Compliance Does Not Equal Detection
Control Tower ensures your configuration is compliant. It doesn’t tell you if you can detect an attacker who has valid credentials operating within allowed parameters.
Example:
| Control Tower Status | A13E Question |
|---|---|
| “MFA is enabled on root account” | “Can you detect T1078 (Valid Accounts) abuse when an attacker uses stolen session tokens?” |
| “CloudTrail is enabled” | “Are you alerting on suspicious API patterns?” |
2. No MITRE ATT&CK Mapping
Control Tower guardrails don’t map to attack techniques. The MITRE ATT&CK Cloud Matrix contains 83 techniques across 11 tactics but Control Tower doesn’t tell you which ones you can detect.
| Control Tower Says | A13E Shows |
|---|---|
| “Config rule passed” | “This covers T1530 (Data from Cloud Storage)” |
| “Guardrail enabled” | “You’re missing T1537 (Transfer Data to Cloud Account)” |
| — | “52 techniques have no detection coverage” |
3. Detective Controls Are Fragmented
With Control Tower, your detections are scattered across multiple consoles: GuardDuty findings, Security Hub controls, Config rules, EventBridge rules (custom), CloudWatch alarms
A13E aggregates all of these and shows unified coverage against the MITRE ATT&CK framework.
Concrete Value Scenarios
Scenario 1: Insider Threat / Credential Compromise
Control Tower status: All green
- IAM policies follow least privilege
- MFA enabled
- CloudTrail logging active
A13E reveals:
- No detection for T1078.004 (Cloud Accounts) — valid credential abuse
- No detection for T1538 (Cloud Service Dashboard) — console reconnaissance
- No detection for T1087.004 (Cloud Account Discovery) — enumeration
- “You cannot detect an attacker using legitimate credentials”
Scenario 2: Data Exfiltration
Control Tower status: All green
- S3 buckets not public
- Encryption enabled
- Access logging on
A13E reveals:
- No detection for T1537 (Transfer Data to Cloud Account) — cross-account copy
- No detection for T1567 (Exfiltration Over Web Service) — data to external cloud
- “An attacker with read access can exfiltrate data undetected”
Scenario 3: Persistence Mechanisms
Control Tower status: All green
- SCPs block certain actions
- Config rules check IAM
A13E reveals:
- No detection for T1098.001 (Additional Cloud Credentials)
- No detection for T1136.003 (Cloud Account Creation)
- “An attacker can establish persistence without triggering alerts”
Quantitative Gap Analysis
MITRE ATT&CK Cloud Matrix: - 83 techniques and sub-techniques - 11 tactics (Initial Access through Impact)
Typical Control Tower Coverage (estimated): - 15–25 techniques indirectly covered: Mostly Initial Access, some Persistence, some Defense Evasion with Heavy focus on configuration, not behaviour
The Delta: - 50–60+ techniques with no detection. Entire tactics potentially uncovered: Discovery (T1087, T1069, T1580)
Lateral Movement (T1550)
Collection (T1530)
Exfiltration (T1537, T1567)
A13E’s Unique Value Add
| Capability | Control Tower | A13E |
|---|---|---|
| Multi-account visibility | Governance only | Detection coverage per account |
| MITRE ATT&CK mapping | No | Every detection mapped to technique |
| Gap prioritisation | No | Critical/High/Medium/Low |
| Remediation templates | No | Terraform/CloudFormation ready |
| Effort estimation | No | Quick Win / Typical / Comprehensive |
| Coverage trending | No | Track improvement over time |
| Multi-cloud (GCP) | No | Unified view |
| Custom detection mapping | No | EventBridge, Lambda, CloudWatch |
The Complementary Relationship
| AWS Control Tower | A13E DCV |
|---|---|
| “Is my environment configured securely?” | “Can I detect attacks when they happen?” |
| Preventive Controls | Detective Coverage |
| Configuration Compliance | Threat Detection Gaps |
| Governance Policies | MITRE ATT&CK Mapping |
| Account Provisioning | Prioritised Remediation |
Both are needed for defence in depth.
Summary
Control Tower gives you:
“Your AWS environment follows best practices and governance policies”
A13E adds:
“Here are the attack techniques you still cannot detect, prioritised by severity, with ready-to-deploy detection templates”
Bottom Line: Control Tower is necessary but not sufficient. A13E answers the question Control Tower cannot: “What happens when prevention fails?”
References: - AWS Control Tower Guardrails - MITRE ATT&CK Cloud Matrix - T1078.004 - Valid Accounts: Cloud Accounts - T1537 - Transfer Data to Cloud Account - T1530 - Data from Cloud Storage