AWS controltower documentation change
Summary
Updated resource naming patterns and configurations for AWS Control Tower Account Factory Terraform (AFT) resources across multiple services. Changed prefix patterns from 'aws-ct-aft-*' to 'aft-*' and 'ct-aft-*', added AWS Backup resources, and reorganized service/resource mappings.
Security assessment
The changes primarily involve resource naming conventions and service configurations rather than addressing specific vulnerabilities. However, the addition of AWS Backup Vaults/Plans documentation introduces security-adjacent disaster recovery capabilities. No concrete evidence of patching vulnerabilities or addressing active security issues is present in the diff.
Diff
diff --git a/controltower/latest/userguide/aft-resources.md b/controltower/latest/userguide/aft-resources.md index f2ad467d8..804206365 100644 --- a//controltower/latest/userguide/aft-resources.md +++ b//controltower/latest/userguide/aft-resources.md @@ -28,18 +28,20 @@ AWS Control Tower Account Factory for Terraform management account **AWS service -AWS Identity and Access Management | Roles | AWSAFTAdministrator AWSAFTExecution AWSAFTService aws-ct-aft-* -AWS Identity and Access Management | Policies | aws-ct-aft-* -CodeCommit | Repositories | aws-ct-aft-* -CodeBuild | Build Projects | aws-ct-aft-* -Code Pipeline | Pipelines | *-baseline-* -Amazon S3 | Buckets | *-aws-ct-aft-* aws-ct-aft-* -Lambda | Functions | aws-ct-aft-* -Lambda | Layers | aws-ct-aft-common-layer -DynamoDB | Tables | aws-ct-aft-request aws-ct-aft-request-audit aws-ct-aft-request-metadata aws-ct-aft-controltower-events -Step Functions | State Machines | aws-ct-aft-prebaseline aws-ct-aft-prebaseline-customizations aws-ct-aft-trigger-baseline aws-ct-aft-features -VPC | VPC | aws-ct-aft-vpc -Amazon SNS | Topics | aws-ct-aft-notifications aws-ct-aft-failure-notifications -Amazon EventBridge | Event buses | aws-ct-aft-events-from-ct-management -Amazon EventBridge | Event rules | aws-ct-aft-capture-ct-events aws-ct-aft-lambda-account-request-processor -Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-* aws-ct-aft-* -AWS Systems Manager | Parameter store | /aws-ct-aft/account/* /aws/ct-aft/config/* -Amazon SQS | Queues | aws-ct-aft-account-request.fifo aws-ct-aft-account-request-dlg.fifo -CloudWatch | Log groups | /aws/*/aws-ct-aft-* aws-ct-aft-* +AWS Identity and Access Management | Roles | AWSAFTAdmin AWSAFTExecution AWSAFTService ct-aft-* aft-* codebuild_trigger_role python-layer-builder-aft-common-* +AWS Identity and Access Management | Policies | aft-* +CodeCommit | Repositories | aft-* +CodeBuild | Build Projects | aft-* ct-aft-* apython-layer-builder-aft-common-* +Code Pipeline | Pipelines | accountId-customizations-pipeline +Amazon S3 | Buckets | aft-* +Lambda | Functions | aft-* +Lambda | Layers | aft-common-* +DynamoDB | Tables | aft-request aaft-request-audit aft-request-metadata aft-controltower-events +Step Functions | State Machines | aft-account-provisioning-customizations aft-account-provisioning-framework aft-feature-options aft-invoke-customizations +VPC | VPC | aft-management-vpc +Amazon SNS | Topics | aft-notifications aft-failure-notifications +Amazon EventBridge | Event buses | aft-events-from-ct-management +Amazon EventBridge | Event rules | aft-account-provisioning-customizations-trigger aft-account-request-codepipeline-trigger aft-lambda-account-request-processor aft-controltower-event-logger +Key Management Service (KMS) | Customer Managed Keys | *aft-backend-*-kms-key aft-* +AWS Systems Manager | Parameter store | /aft/* +Amazon SQS | Queues | aft-account-request.fifo aft-account-request-dlg.fifo +CloudWatch | Log groups | /aws/*/ct-aft-* /aws/*/aft-* /aws/codebuild/python-layer-builder-aft-common-* +AWS Backup | Vaults | aft-controltower-backup-vault +AWS Backup | Plans | aft-controltower-backup-plan @@ -55,4 +57,4 @@ AWS Control Tower management account **AWS service** | **Resource type** | **Res -AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-controltower-events-rule -AWS Systems Manager | Parameter store | /aws-ct-aft/account/aws-ct-aft-management/account-id -AWS Organizations (Optional) | Service Control Policies | aws-ct-aft-protect-resources -CloudTrail (Optional) | Trails | aws-ct-aft-BaselineCloudTrail +AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService aft-controltower-events-rule +AWS Systems Manager | Parameter store | /aft/* +EventBridge | Event rules | aft-capture-ct-events +CloudTrail (Optional) | Trails | aws-aft-CustomizationsCloudTrail @@ -63,3 +65,3 @@ AWS Control Tower log archive account **AWS service** | **Resource type** | **Re -AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-cloudtrail-data-events-role -Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-kms-gd-findings -Amazon S3 | Buckets | *-aws-ct-aft-logs* aws-ct-aft-s3-access-logs* +AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService +Key Management Service (KMS) | Customer Managed Keys | aft +Amazon S3 | Buckets | aws-aft-logs-* aws-aft-s3-access-logs-* @@ -70 +72 @@ AWS Control Tower audit account **AWS service** | **Resource type** | **Resource -AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution +AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService