AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-05-22 · Documentation medium

File: controltower/latest/userguide/aft-resources.md

Summary

Updated resource naming conventions, added AWS Organizations Service Control Policy (SCP), and modified KMS/CloudTrail configurations.

Security assessment

The addition of the 'aws-ct-aft-protect-resources' SCP introduces a security control for resource protection. Renamed resources and configurations improve consistency but do not directly address a security vulnerability. The SCP addition qualifies as security documentation.

Diff

diff --git a/controltower/latest/userguide/aft-resources.md b/controltower/latest/userguide/aft-resources.md
index 804206365..f2ad467d8 100644
--- a//controltower/latest/userguide/aft-resources.md
+++ b//controltower/latest/userguide/aft-resources.md
@@ -28,20 +28,18 @@ AWS Control Tower Account Factory for Terraform management account **AWS service
-AWS Identity and Access Management | Roles |  AWSAFTAdmin AWSAFTExecution AWSAFTService ct-aft-* aft-* codebuild_trigger_role python-layer-builder-aft-common-*  
-AWS Identity and Access Management | Policies | aft-*  
-CodeCommit | Repositories | aft-*  
-CodeBuild | Build Projects | aft-* ct-aft-* apython-layer-builder-aft-common-*  
-Code Pipeline | Pipelines | accountId-customizations-pipeline  
-Amazon S3 | Buckets | aft-*  
-Lambda | Functions | aft-*  
-Lambda | Layers | aft-common-*  
-DynamoDB | Tables | aft-request aaft-request-audit aft-request-metadata aft-controltower-events  
-Step Functions | State Machines | aft-account-provisioning-customizations aft-account-provisioning-framework aft-feature-options aft-invoke-customizations  
-VPC | VPC | aft-management-vpc  
-Amazon SNS | Topics | aft-notifications aft-failure-notifications  
-Amazon EventBridge | Event buses | aft-events-from-ct-management  
-Amazon EventBridge | Event rules | aft-account-provisioning-customizations-trigger aft-account-request-codepipeline-trigger aft-lambda-account-request-processor aft-controltower-event-logger  
-Key Management Service (KMS) | Customer Managed Keys | *aft-backend-*-kms-key aft-*  
-AWS Systems Manager | Parameter store | /aft/*  
-Amazon SQS | Queues | aft-account-request.fifo aft-account-request-dlg.fifo  
-CloudWatch | Log groups | /aws/*/ct-aft-* /aws/*/aft-* /aws/codebuild/python-layer-builder-aft-common-*  
-AWS Backup | Vaults | aft-controltower-backup-vault  
-AWS Backup | Plans | aft-controltower-backup-plan  
+AWS Identity and Access Management | Roles |  AWSAFTAdministrator AWSAFTExecution AWSAFTService aws-ct-aft-*  
+AWS Identity and Access Management | Policies | aws-ct-aft-*  
+CodeCommit | Repositories | aws-ct-aft-*  
+CodeBuild | Build Projects | aws-ct-aft-*  
+Code Pipeline | Pipelines | *-baseline-*  
+Amazon S3 | Buckets | *-aws-ct-aft-* aws-ct-aft-*  
+Lambda | Functions | aws-ct-aft-*  
+Lambda | Layers | aws-ct-aft-common-layer  
+DynamoDB | Tables | aws-ct-aft-request aws-ct-aft-request-audit aws-ct-aft-request-metadata aws-ct-aft-controltower-events  
+Step Functions | State Machines | aws-ct-aft-prebaseline aws-ct-aft-prebaseline-customizations aws-ct-aft-trigger-baseline aws-ct-aft-features  
+VPC | VPC | aws-ct-aft-vpc  
+Amazon SNS | Topics | aws-ct-aft-notifications aws-ct-aft-failure-notifications  
+Amazon EventBridge | Event buses | aws-ct-aft-events-from-ct-management  
+Amazon EventBridge | Event rules | aws-ct-aft-capture-ct-events aws-ct-aft-lambda-account-request-processor  
+Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-* aws-ct-aft-*  
+AWS Systems Manager | Parameter store | /aws-ct-aft/account/* /aws/ct-aft/config/*  
+Amazon SQS | Queues | aws-ct-aft-account-request.fifo aws-ct-aft-account-request-dlg.fifo  
+CloudWatch | Log groups | /aws/*/aws-ct-aft-* aws-ct-aft-*  
@@ -57,4 +55,4 @@ AWS Control Tower management account **AWS service** | **Resource type** | **Res
-AWS Identity and Access Management | Roles |  AWSAFTExecution AWSAFTService aft-controltower-events-rule  
-AWS Systems Manager | Parameter store | /aft/*  
-EventBridge | Event rules | aft-capture-ct-events  
-CloudTrail (Optional) | Trails | aws-aft-CustomizationsCloudTrail  
+AWS Identity and Access Management | Roles |  AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-controltower-events-rule  
+AWS Systems Manager | Parameter store | /aws-ct-aft/account/aws-ct-aft-management/account-id  
+AWS Organizations (Optional) | Service Control Policies | aws-ct-aft-protect-resources  
+CloudTrail (Optional) | Trails | aws-ct-aft-BaselineCloudTrail  
@@ -65,3 +63,3 @@ AWS Control Tower log archive account **AWS service** | **Resource type** | **Re
-AWS Identity and Access Management | Roles |  AWSAFTExecution AWSAFTService  
-Key Management Service (KMS) | Customer Managed Keys | aft  
-Amazon S3 | Buckets | aws-aft-logs-* aws-aft-s3-access-logs-*  
+AWS Identity and Access Management | Roles |  AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-cloudtrail-data-events-role  
+Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-kms-gd-findings  
+Amazon S3 | Buckets | *-aws-ct-aft-logs* aws-ct-aft-s3-access-logs*  
@@ -72 +70 @@ AWS Control Tower audit account **AWS service** | **Resource type** | **Resource
-AWS Identity and Access Management | Roles |  AWSAFTExecution AWSAFTService  
+AWS Identity and Access Management | Roles |  AWSAFTExecutionRole AWSAFTExecution