AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-05-01 · Documentation low

File: controltower/latest/userguide/step-1-create-blueprint-access-role.md

Summary

Clarified that the AWSControlTowerBlueprintAccess role grants access to administer resources in the hub account (previously stated 'administer the hub account')

Security assessment

The change adds specificity about the scope of the role's permissions (resources vs. the entire account), but does not indicate a security vulnerability fix or introduce new security features. It improves documentation clarity rather than addressing a documented security issue.

Diff

diff --git a/controltower/latest/userguide/step-1-create-blueprint-access-role.md b/controltower/latest/userguide/step-1-create-blueprint-access-role.md
index 9b298caa0..baa5c46be 100644
--- a//controltower/latest/userguide/step-1-create-blueprint-access-role.md
+++ b//controltower/latest/userguide/step-1-create-blueprint-access-role.md
@@ -7 +7 @@
-Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. When assumed, the role grants AWS Control Tower access to administer the hub account. The role must be named **AWSControlTowerBlueprintAccess**. 
+Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. When assumed, the role grants AWS Control Tower access to administer the resources in the hub account. The role must be named **AWSControlTowerBlueprintAccess**.