AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-05-16 · Documentation low

File: controltower/latest/userguide/aft-resources.md

Summary

Updated resource naming patterns and configurations for AWS Control Tower Account Factory Terraform (AFT) resources across multiple services. Changed prefix patterns from 'aws-ct-aft-*' to 'aft-*' and 'ct-aft-*', added AWS Backup resources, and reorganized service/resource mappings.

Security assessment

The changes primarily involve resource naming conventions and service configurations rather than addressing specific vulnerabilities. However, the addition of AWS Backup Vaults/Plans documentation introduces security-adjacent disaster recovery capabilities. No concrete evidence of patching vulnerabilities or addressing active security issues is present in the diff.

Diff

diff --git a/controltower/latest/userguide/aft-resources.md b/controltower/latest/userguide/aft-resources.md
index f2ad467d8..804206365 100644
--- a//controltower/latest/userguide/aft-resources.md
+++ b//controltower/latest/userguide/aft-resources.md
@@ -28,18 +28,20 @@ AWS Control Tower Account Factory for Terraform management account **AWS service
-AWS Identity and Access Management | Roles |  AWSAFTAdministrator AWSAFTExecution AWSAFTService aws-ct-aft-*  
-AWS Identity and Access Management | Policies | aws-ct-aft-*  
-CodeCommit | Repositories | aws-ct-aft-*  
-CodeBuild | Build Projects | aws-ct-aft-*  
-Code Pipeline | Pipelines | *-baseline-*  
-Amazon S3 | Buckets | *-aws-ct-aft-* aws-ct-aft-*  
-Lambda | Functions | aws-ct-aft-*  
-Lambda | Layers | aws-ct-aft-common-layer  
-DynamoDB | Tables | aws-ct-aft-request aws-ct-aft-request-audit aws-ct-aft-request-metadata aws-ct-aft-controltower-events  
-Step Functions | State Machines | aws-ct-aft-prebaseline aws-ct-aft-prebaseline-customizations aws-ct-aft-trigger-baseline aws-ct-aft-features  
-VPC | VPC | aws-ct-aft-vpc  
-Amazon SNS | Topics | aws-ct-aft-notifications aws-ct-aft-failure-notifications  
-Amazon EventBridge | Event buses | aws-ct-aft-events-from-ct-management  
-Amazon EventBridge | Event rules | aws-ct-aft-capture-ct-events aws-ct-aft-lambda-account-request-processor  
-Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-* aws-ct-aft-*  
-AWS Systems Manager | Parameter store | /aws-ct-aft/account/* /aws/ct-aft/config/*  
-Amazon SQS | Queues | aws-ct-aft-account-request.fifo aws-ct-aft-account-request-dlg.fifo  
-CloudWatch | Log groups | /aws/*/aws-ct-aft-* aws-ct-aft-*  
+AWS Identity and Access Management | Roles |  AWSAFTAdmin AWSAFTExecution AWSAFTService ct-aft-* aft-* codebuild_trigger_role python-layer-builder-aft-common-*  
+AWS Identity and Access Management | Policies | aft-*  
+CodeCommit | Repositories | aft-*  
+CodeBuild | Build Projects | aft-* ct-aft-* apython-layer-builder-aft-common-*  
+Code Pipeline | Pipelines | accountId-customizations-pipeline  
+Amazon S3 | Buckets | aft-*  
+Lambda | Functions | aft-*  
+Lambda | Layers | aft-common-*  
+DynamoDB | Tables | aft-request aaft-request-audit aft-request-metadata aft-controltower-events  
+Step Functions | State Machines | aft-account-provisioning-customizations aft-account-provisioning-framework aft-feature-options aft-invoke-customizations  
+VPC | VPC | aft-management-vpc  
+Amazon SNS | Topics | aft-notifications aft-failure-notifications  
+Amazon EventBridge | Event buses | aft-events-from-ct-management  
+Amazon EventBridge | Event rules | aft-account-provisioning-customizations-trigger aft-account-request-codepipeline-trigger aft-lambda-account-request-processor aft-controltower-event-logger  
+Key Management Service (KMS) | Customer Managed Keys | *aft-backend-*-kms-key aft-*  
+AWS Systems Manager | Parameter store | /aft/*  
+Amazon SQS | Queues | aft-account-request.fifo aft-account-request-dlg.fifo  
+CloudWatch | Log groups | /aws/*/ct-aft-* /aws/*/aft-* /aws/codebuild/python-layer-builder-aft-common-*  
+AWS Backup | Vaults | aft-controltower-backup-vault  
+AWS Backup | Plans | aft-controltower-backup-plan  
@@ -55,4 +57,4 @@ AWS Control Tower management account **AWS service** | **Resource type** | **Res
-AWS Identity and Access Management | Roles |  AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-controltower-events-rule  
-AWS Systems Manager | Parameter store | /aws-ct-aft/account/aws-ct-aft-management/account-id  
-AWS Organizations (Optional) | Service Control Policies | aws-ct-aft-protect-resources  
-CloudTrail (Optional) | Trails | aws-ct-aft-BaselineCloudTrail  
+AWS Identity and Access Management | Roles |  AWSAFTExecution AWSAFTService aft-controltower-events-rule  
+AWS Systems Manager | Parameter store | /aft/*  
+EventBridge | Event rules | aft-capture-ct-events  
+CloudTrail (Optional) | Trails | aws-aft-CustomizationsCloudTrail  
@@ -63,3 +65,3 @@ AWS Control Tower log archive account **AWS service** | **Resource type** | **Re
-AWS Identity and Access Management | Roles |  AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-cloudtrail-data-events-role  
-Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-kms-gd-findings  
-Amazon S3 | Buckets | *-aws-ct-aft-logs* aws-ct-aft-s3-access-logs*  
+AWS Identity and Access Management | Roles |  AWSAFTExecution AWSAFTService  
+Key Management Service (KMS) | Customer Managed Keys | aft  
+Amazon S3 | Buckets | aws-aft-logs-* aws-aft-s3-access-logs-*  
@@ -70 +72 @@ AWS Control Tower audit account **AWS service** | **Resource type** | **Resource
-AWS Identity and Access Management | Roles |  AWSAFTExecutionRole AWSAFTExecution  
+AWS Identity and Access Management | Roles |  AWSAFTExecution AWSAFTService