AWS controltower documentation change
Summary
Clarified that the AWSControlTowerBlueprintAccess role grants access to administer resources in the hub account (previously stated 'administer the hub account')
Security assessment
The change adds specificity about the scope of the role's permissions (resources vs. the entire account), but does not indicate a security vulnerability fix or introduce new security features. It improves documentation clarity rather than addressing a documented security issue.
Diff
diff --git a/controltower/latest/userguide/step-1-create-blueprint-access-role.md b/controltower/latest/userguide/step-1-create-blueprint-access-role.md index 9b298caa0..baa5c46be 100644 --- a//controltower/latest/userguide/step-1-create-blueprint-access-role.md +++ b//controltower/latest/userguide/step-1-create-blueprint-access-role.md @@ -7 +7 @@ -Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. When assumed, the role grants AWS Control Tower access to administer the hub account. The role must be named **AWSControlTowerBlueprintAccess**. +Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. When assumed, the role grants AWS Control Tower access to administer the resources in the hub account. The role must be named **AWSControlTowerBlueprintAccess**.