AWS controltower documentation change
Summary
Updated resource naming conventions, added AWS Organizations Service Control Policy (SCP), and modified KMS/CloudTrail configurations.
Security assessment
The addition of the 'aws-ct-aft-protect-resources' SCP introduces a security control for resource protection. Renamed resources and configurations improve consistency but do not directly address a security vulnerability. The SCP addition qualifies as security documentation.
Diff
diff --git a/controltower/latest/userguide/aft-resources.md b/controltower/latest/userguide/aft-resources.md index 804206365..f2ad467d8 100644 --- a//controltower/latest/userguide/aft-resources.md +++ b//controltower/latest/userguide/aft-resources.md @@ -28,20 +28,18 @@ AWS Control Tower Account Factory for Terraform management account **AWS service -AWS Identity and Access Management | Roles | AWSAFTAdmin AWSAFTExecution AWSAFTService ct-aft-* aft-* codebuild_trigger_role python-layer-builder-aft-common-* -AWS Identity and Access Management | Policies | aft-* -CodeCommit | Repositories | aft-* -CodeBuild | Build Projects | aft-* ct-aft-* apython-layer-builder-aft-common-* -Code Pipeline | Pipelines | accountId-customizations-pipeline -Amazon S3 | Buckets | aft-* -Lambda | Functions | aft-* -Lambda | Layers | aft-common-* -DynamoDB | Tables | aft-request aaft-request-audit aft-request-metadata aft-controltower-events -Step Functions | State Machines | aft-account-provisioning-customizations aft-account-provisioning-framework aft-feature-options aft-invoke-customizations -VPC | VPC | aft-management-vpc -Amazon SNS | Topics | aft-notifications aft-failure-notifications -Amazon EventBridge | Event buses | aft-events-from-ct-management -Amazon EventBridge | Event rules | aft-account-provisioning-customizations-trigger aft-account-request-codepipeline-trigger aft-lambda-account-request-processor aft-controltower-event-logger -Key Management Service (KMS) | Customer Managed Keys | *aft-backend-*-kms-key aft-* -AWS Systems Manager | Parameter store | /aft/* -Amazon SQS | Queues | aft-account-request.fifo aft-account-request-dlg.fifo -CloudWatch | Log groups | /aws/*/ct-aft-* /aws/*/aft-* /aws/codebuild/python-layer-builder-aft-common-* -AWS Backup | Vaults | aft-controltower-backup-vault -AWS Backup | Plans | aft-controltower-backup-plan +AWS Identity and Access Management | Roles | AWSAFTAdministrator AWSAFTExecution AWSAFTService aws-ct-aft-* +AWS Identity and Access Management | Policies | aws-ct-aft-* +CodeCommit | Repositories | aws-ct-aft-* +CodeBuild | Build Projects | aws-ct-aft-* +Code Pipeline | Pipelines | *-baseline-* +Amazon S3 | Buckets | *-aws-ct-aft-* aws-ct-aft-* +Lambda | Functions | aws-ct-aft-* +Lambda | Layers | aws-ct-aft-common-layer +DynamoDB | Tables | aws-ct-aft-request aws-ct-aft-request-audit aws-ct-aft-request-metadata aws-ct-aft-controltower-events +Step Functions | State Machines | aws-ct-aft-prebaseline aws-ct-aft-prebaseline-customizations aws-ct-aft-trigger-baseline aws-ct-aft-features +VPC | VPC | aws-ct-aft-vpc +Amazon SNS | Topics | aws-ct-aft-notifications aws-ct-aft-failure-notifications +Amazon EventBridge | Event buses | aws-ct-aft-events-from-ct-management +Amazon EventBridge | Event rules | aws-ct-aft-capture-ct-events aws-ct-aft-lambda-account-request-processor +Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-* aws-ct-aft-* +AWS Systems Manager | Parameter store | /aws-ct-aft/account/* /aws/ct-aft/config/* +Amazon SQS | Queues | aws-ct-aft-account-request.fifo aws-ct-aft-account-request-dlg.fifo +CloudWatch | Log groups | /aws/*/aws-ct-aft-* aws-ct-aft-* @@ -57,4 +55,4 @@ AWS Control Tower management account **AWS service** | **Resource type** | **Res -AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService aft-controltower-events-rule -AWS Systems Manager | Parameter store | /aft/* -EventBridge | Event rules | aft-capture-ct-events -CloudTrail (Optional) | Trails | aws-aft-CustomizationsCloudTrail +AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-controltower-events-rule +AWS Systems Manager | Parameter store | /aws-ct-aft/account/aws-ct-aft-management/account-id +AWS Organizations (Optional) | Service Control Policies | aws-ct-aft-protect-resources +CloudTrail (Optional) | Trails | aws-ct-aft-BaselineCloudTrail @@ -65,3 +63,3 @@ AWS Control Tower log archive account **AWS service** | **Resource type** | **Re -AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService -Key Management Service (KMS) | Customer Managed Keys | aft -Amazon S3 | Buckets | aws-aft-logs-* aws-aft-s3-access-logs-* +AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-cloudtrail-data-events-role +Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-kms-gd-findings +Amazon S3 | Buckets | *-aws-ct-aft-logs* aws-ct-aft-s3-access-logs* @@ -72 +70 @@ AWS Control Tower audit account **AWS service** | **Resource type** | **Resource -AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService +AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution