AWS controltower documentation change
Summary
Updated documentation about AWS Control Tower's proactive controls and CloudFormation hooks management. Removed restrictions on hook modification and provided updated reset procedures.
Security assessment
Changes focus on lifting restrictions for CloudFormation hooks management and procedural updates. While the CT.CLOUDFORMATION.PR.1 control removal is mentioned, there's no evidence this addresses a security vulnerability - rather, it appears to be a feature enhancement allowing more user control.
Diff
diff --git a/controltower/latest/userguide/2024-all.md index e366fbab7..2216eaef0 100644 --- a/controltower/latest/userguide/2024-all.md +++ b/controltower/latest/userguide/2024-all.md @@ -106 +106 @@ For more information, see [Integrated AWS Config controls available in AWS Contr -With this release, hooks deployed for proactive controls are managed by AWS Control Tower. Also, proactive controls are available in the Canada West (Calgary) Region and Asia Pacific (Malaysia) Region. +With this release, you can utilize the full capacity of AWS CloudFormation hooks, without restriction by AWS Control Tower. Also, proactive controls are available in the Canada West (Calgary) Region and Asia Pacific (Malaysia) Region. @@ -108 +108 @@ With this release, hooks deployed for proactive controls are managed by AWS Cont -Previously, AWS Control Tower relied upon AWS CloudFormation hooks for proactive control capabilities. As a result, deployed hooks were protected, so that only AWS Control Tower could modify them. With this release, the hooks deployed by proactive controls are managed by the AWS Control Tower service. You can author your own hooks, while you still benefit from the AWS Control Tower proactive controls. +Previously, all AWS CloudFormation hooks in your environment needed to be protected by the **CT.CLOUDFORMATION.PR.1** control, so that only AWS Control Tower could modify them. With this release, you can deploy AWS CloudFormation hooks, and modify these hooks, without the restrictions that previously were required by the AWS Control Tower service. @@ -110 +110 @@ Previously, AWS Control Tower relied upon AWS CloudFormation hooks for proactive -If you currently deploy proactive controls, you can move to this improved hook functionality. To do so, reset the proactive controls that are active on each OU, by calling the `ResetEnabledControl` API, or by updating the control from the console with the **Reset** functionality. When you do this task, AWS Control Tower moves the proactive control hooks to the new capability, in which hooks are managed by AWS Control Tower directly. +If you currently deploy proactive controls, you can move to this improved hook functionality. To reset all proactive controls on an OU, reset any single proactive control that is active on that OU. You can perform the reset by calling the `ResetEnabledControl` API, or by updating the control from the console, with the **Reset** functionality. When you complete this reset task for any proactive control, AWS Control Tower moves all of the proactive control hooks on the OU to the new capability. Repeat this process for each OU that deploys proactive controls. @@ -112 +112,3 @@ If you currently deploy proactive controls, you can move to this improved hook f -Also, you can remove the **CT.CLOUDFORMATION.PR.1** control after you reset the proactive controls, if you do not use it for any other purpose. That control was needed to protect the AWS CloudFormation hooks. +After you reset any proactive control, remove the **CT.CLOUDFORMATION.PR.1** control on your AWS Control Tower OUs, unless you enabled that control for another purpose. If you don't turn off the **CT.CLOUDFORMATION.PR.1** control, you won't be able to create and modify your other AWS CloudFormation hooks. + +For more information, see [Update proactive control hooks](https://docs.aws.amazon.com/controltower/latest/controlreference/update-hooks.html).