AWS controltower documentation change
Summary
Updated resource naming conventions and added AWS Backup resources for AFT components
Security assessment
Changes primarily involve resource name standardization and adding backup configuration documentation. No specific security vulnerabilities or security features are mentioned. The AWS Backup addition is a reliability feature rather than explicit security documentation.
Diff
diff --git a/controltower/latest/userguide/aft-resources.md b/controltower/latest/userguide/aft-resources.md index f2ad467d8..804206365 100644 --- a//controltower/latest/userguide/aft-resources.md +++ b//controltower/latest/userguide/aft-resources.md @@ -28,18 +28,20 @@ AWS Control Tower Account Factory for Terraform management account **AWS service -AWS Identity and Access Management | Roles | AWSAFTAdministrator AWSAFTExecution AWSAFTService aws-ct-aft-* -AWS Identity and Access Management | Policies | aws-ct-aft-* -CodeCommit | Repositories | aws-ct-aft-* -CodeBuild | Build Projects | aws-ct-aft-* -Code Pipeline | Pipelines | *-baseline-* -Amazon S3 | Buckets | *-aws-ct-aft-* aws-ct-aft-* -Lambda | Functions | aws-ct-aft-* -Lambda | Layers | aws-ct-aft-common-layer -DynamoDB | Tables | aws-ct-aft-request aws-ct-aft-request-audit aws-ct-aft-request-metadata aws-ct-aft-controltower-events -Step Functions | State Machines | aws-ct-aft-prebaseline aws-ct-aft-prebaseline-customizations aws-ct-aft-trigger-baseline aws-ct-aft-features -VPC | VPC | aws-ct-aft-vpc -Amazon SNS | Topics | aws-ct-aft-notifications aws-ct-aft-failure-notifications -Amazon EventBridge | Event buses | aws-ct-aft-events-from-ct-management -Amazon EventBridge | Event rules | aws-ct-aft-capture-ct-events aws-ct-aft-lambda-account-request-processor -Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-* aws-ct-aft-* -AWS Systems Manager | Parameter store | /aws-ct-aft/account/* /aws/ct-aft/config/* -Amazon SQS | Queues | aws-ct-aft-account-request.fifo aws-ct-aft-account-request-dlg.fifo -CloudWatch | Log groups | /aws/*/aws-ct-aft-* aws-ct-aft-* +AWS Identity and Access Management | Roles | AWSAFTAdmin AWSAFTExecution AWSAFTService ct-aft-* aft-* codebuild_trigger_role python-layer-builder-aft-common-* +AWS Identity and Access Management | Policies | aft-* +CodeCommit | Repositories | aft-* +CodeBuild | Build Projects | aft-* ct-aft-* apython-layer-builder-aft-common-* +Code Pipeline | Pipelines | accountId-customizations-pipeline +Amazon S3 | Buckets | aft-* +Lambda | Functions | aft-* +Lambda | Layers | aft-common-* +DynamoDB | Tables | aft-request aaft-request-audit aft-request-metadata aft-controltower-events +Step Functions | State Machines | aft-account-provisioning-customizations aft-account-provisioning-framework aft-feature-options aft-invoke-customizations +VPC | VPC | aft-management-vpc +Amazon SNS | Topics | aft-notifications aft-failure-notifications +Amazon EventBridge | Event buses | aft-events-from-ct-management +Amazon EventBridge | Event rules | aft-account-provisioning-customizations-trigger aft-account-request-codepipeline-trigger aft-lambda-account-request-processor aft-controltower-event-logger +Key Management Service (KMS) | Customer Managed Keys | *aft-backend-*-kms-key aft-* +AWS Systems Manager | Parameter store | /aft/* +Amazon SQS | Queues | aft-account-request.fifo aft-account-request-dlg.fifo +CloudWatch | Log groups | /aws/*/ct-aft-* /aws/*/aft-* /aws/codebuild/python-layer-builder-aft-common-* +AWS Backup | Vaults | aft-controltower-backup-vault +AWS Backup | Plans | aft-controltower-backup-plan @@ -55,4 +57,4 @@ AWS Control Tower management account **AWS service** | **Resource type** | **Res -AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-controltower-events-rule -AWS Systems Manager | Parameter store | /aws-ct-aft/account/aws-ct-aft-management/account-id -AWS Organizations (Optional) | Service Control Policies | aws-ct-aft-protect-resources -CloudTrail (Optional) | Trails | aws-ct-aft-BaselineCloudTrail +AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService aft-controltower-events-rule +AWS Systems Manager | Parameter store | /aft/* +EventBridge | Event rules | aft-capture-ct-events +CloudTrail (Optional) | Trails | aws-aft-CustomizationsCloudTrail @@ -63,3 +65,3 @@ AWS Control Tower log archive account **AWS service** | **Resource type** | **Re -AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution aws-ct-aft-cloudtrail-data-events-role -Key Management Service (KMS) | Customer Managed Keys | *-aws-ct-aft-kms-gd-findings -Amazon S3 | Buckets | *-aws-ct-aft-logs* aws-ct-aft-s3-access-logs* +AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService +Key Management Service (KMS) | Customer Managed Keys | aft +Amazon S3 | Buckets | aws-aft-logs-* aws-aft-s3-access-logs-* @@ -70 +72 @@ AWS Control Tower audit account **AWS service** | **Resource type** | **Resource -AWS Identity and Access Management | Roles | AWSAFTExecutionRole AWSAFTExecution +AWS Identity and Access Management | Roles | AWSAFTExecution AWSAFTService