AWS controltower documentation change
Summary
Clarified that AWS Control Tower uses StackSets by default
Security assessment
Minor clarification about deployment mechanism with no security implications
Diff
diff --git a/controltower/latest/userguide/how-control-tower-works.md b/controltower/latest/userguide/how-control-tower-works.md index 5fcfb8f65..5dc8f0564 100644 --- a/controltower/latest/userguide/how-control-tower-works.md +++ b/controltower/latest/userguide/how-control-tower-works.md @@ -5 +5 @@ -Structure of an AWS Control Tower Landing ZoneWhat happens when you set up a landing zoneWhat are the shared accounts?How controls workHow AWS Control Tower works with StackSets +Structure of an AWS Control Tower Landing ZoneWhat happens when you set up a landing zoneHow AWS Control Tower works with StackSets @@ -21 +21 @@ The structure of a landing zone in AWS Control Tower is as follows: - * **IAM Identity Center directory** – This directory houses your IAM Identity Center users. It defines the scope of permissions for each IAM Identity Center user. + * **IAM Identity Center directory** – By default, this directory houses your IAM Identity Center users. It defines the scope of permissions for each IAM Identity Center user. Optionally, you can choose to self-manage your identity and access control. For more information, see [Working with AWS IAM Identity Center and AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/sso.html). @@ -58,45 +57,0 @@ When you set up a landing zone, AWS Control Tower performs the following actions -## What are the shared accounts? - -In AWS Control Tower, the shared accounts in your landing zone are provisioned during setup: the management account, the log archive account, and the audit account. - -### What is the management account? - -This is the account that you created specifically for your landing zone. This account is used for billing for everything in your landing zone. It's also used for Account Factory provisioning of accounts, as well as to manage OUs and controls. - -###### Note - -It is not recommended to run any type of production workloads from an AWS Control Tower management account. Create a separate AWS Control Tower account to run your workloads. - -For more information, see [Management account](./accounts.html#mgmt-account). - -### What is the log archive account? - -This account works as a repository for logs of API activities and resource configurations from all accounts in the landing zone. - -For more information, see [Log archive account](./accounts.html#log-archive-account). - -### What is the audit account? - -The audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts, by means of a role that is granted to Lambda functions only. The audit account does not allow you to log in to other accounts manually. For more information about Lambda functions and roles, see [Configure a Lambda function to assume a role from another AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role). - -For more information, see [Audit account](./accounts.html#audit-account). - -## How controls work - -A control is a high-level rule that provides ongoing governance for your overall AWS environment. Each control enforces a single rule, and it's expressed in plain language. You can change the elective or strongly recommended controls that are in force, at any time, from the AWS Control Tower console or the AWS Control Tower APIs. Mandatory controls are always applied, and they can't be changed. - -Preventive controls prevent actions from occurring. For example, the elective control called **Disallow Changes to Bucket Policy for Amazon S3 Buckets** (Previously called **Disallow Policy Changes to Log Archive**) prevents any IAM policy changes within the log archive shared account. Any attempt to perform a prevented action is denied and logged in CloudTrail. The resource is also logged in AWS Config. - -Detective controls detect specific events when they occur and log the action in CloudTrail. For example, the strongly recommended control called **Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances** detects whether an unencrypted Amazon EBS volume is attached to an EC2 instance in your landing zone. - -Proactive controls check whether resources are compliant with your company policies and objectives, before the resources are provisioned in your accounts. If the resources are out of compliance, they are not provisioned. Proactive controls monitor resources that would be deployed in your accounts by means of AWS CloudFormation templates. - -_For those who are familiar with AWS:_ In AWS Control Tower preventive controls are implemented with Service Control Policies (SCPs). Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks. - -### Related Topics - - * [Detect and resolve drift in AWS Control Tower](./drift.html) - - - - @@ -105 +60 @@ _For those who are familiar with AWS:_ In AWS Control Tower preventive controls -AWS Control Tower uses AWS CloudFormation StackSets to set up resources in your accounts. Each stack set has StackInstances that correspond to accounts, and to AWS Regions per account. AWS Control Tower deploys one stack set instance per account and Region. +AWS Control Tower uses AWS CloudFormation StackSets to set up resources in your accounts, by default. Each stack set has StackInstances that correspond to accounts, and to AWS Regions per account. AWS Control Tower deploys one stack set instance per account and Region. @@ -125 +80 @@ What Is AWS Control Tower? -Terminology +What are the shared accounts?