AWS controltower medium security documentation change
Summary
Added documentation for support of additional industry frameworks (e.g., PCI-DSS) with updated metadata and introduced service-linked AWS Config controls to replace CloudFormation stack sets for improved deployment security.
Security assessment
The service-linked AWS Config controls change addresses configuration drift risks by preventing manual modifications to CloudFormation stack sets, which could lead to security misconfigurations. The explicit warning about removing existing remediations during migration indicates a security-impacting change. The addition of IAM permissions for control visibility and compliance framework mappings also enhances security documentation.
Diff
diff --git a/controltower/latest/userguide/2025-all.md b/controltower/latest/userguide/2025-all.md index 01a0d570a..2249d57e9 100644 --- a//controltower/latest/userguide/2025-all.md +++ b//controltower/latest/userguide/2025-all.md @@ -5 +5 @@ -Enabled controls console view gives centralized visibility Account Factory for Terraform (AFT) supports new configurations at deploymentAWS Control Tower introduces account-level reporting for baseline APIsAWS Control Tower available in AWS Asia Pacific (Thailand) and Mexico (Central) RegionsAdditional AWS Config controls availableDeregister and delete actions for OUsControl Catalog supports IPv6 addresses +Support for additional industry frameworks, updated metadataService-linked AWS Config controls Enabled controls console view gives centralized visibility Account Factory for Terraform (AFT) supports new configurations at deploymentAWS Control Tower introduces account-level reporting for baseline APIsAWS Control Tower available in AWS Asia Pacific (Thailand) and Mexico (Central) RegionsAdditional AWS Config controls availableDeregister and delete actions for OUsControl Catalog supports IPv6 addresses @@ -10,0 +11,4 @@ Since January 2025, AWS Control Tower has released the following updates: + * Support for additional industry frameworks, updated metadata + + * Service-linked AWS Config controls + @@ -27,0 +32,66 @@ Since January 2025, AWS Control Tower has released the following updates: +## Support for additional industry frameworks, updated metadata + +**June 12, 2025** + +(No update required for AWS Control Tower landing zone.) + +With this release, AWS Control Tower expands to include support for 10 industry frameworks. For a list of frameworks, see [Frameworks supported](https://docs.aws.amazon.com/controltower/latest/controls/frameworks.html). + +For example, you can get started by navigating to the Control Catalog page in the AWS Control Tower console and searching for a framework, such as **PCI-DSS-v4.0** , to view all controls related to that framework. Or you can examine controls and frameworks programmatically, by calling the new [`ListControlMappings`](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControlMappings.html) API. + +The metadata definitions associated with contols are changing, to better support these additional industry framewoks. The changes to metadata can affect the way you evaluate controls for enablement. For example, the values for NIST, PCI, and CIS metadata may have changed. We recommend that you r _eview the mappings_ for your enabled controls, on the **Control details** page in the console. + +In the console and the API, we introduced 3 new metadata fields. Collectively, these fields describe a hierarchy that helps you understand how to categorize and enable controls. The fields are: **Domain** , **Objective** , and [**Common control**](https://docs.aws.amazon.com/controltower/latest/controlreference/common-controls-list.html). We have redefined our [control objectives](https://docs.aws.amazon.com/controltower/latest/controlreference/control-catalog-objectives.html) to align better with the broader scope of industry frameworks that are available. For more information about this hierarchy, see [Ontology overview](https://docs.aws.amazon.com/controlcatalog/latest/userguide/ontology-overview.html). + + * These metadata changes are reflected in the AWS Control Tower console, and the console experience is consistent across the AWS Control Tower and AWS Config consoles. + + * To view control information in the AWS Control Tower console, you must add additional `controlcatalog` permissions to your IAM policies. For more information, see [Permissions required to use the AWS Control Tower console](https://docs.aws.amazon.com/controltower/latest/userguide/additional-console-required-permissions.html). + + * Each control now has a new field called `GovernedResources`, which shows the resource types that the control governs. In some cases, this field shows the service prefix for the resources, and in other instances, it can be blank. For more information, see [`GetControl`](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_GetControl.html) and [`ListControls`](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html). + + + + +With this release, we have renamed the _Controls Library_ to _Control Catalog_ , for consistency with other terminology. + +## Service-linked AWS Config controls + +**June 12, 2025** + +(No update required for AWS Control Tower landing zone.) + +AWS Control Tower announces support for the AWS Control Tower detective controls to be deployed as service-linked AWS Config rules. + +With this release, AWS Control Tower now deploys service-linked Config rules directly in your enrolled accounts, replacing the previous method of deployment with AWS CloudFormation stack sets. This change significantly improves deployment speed. Also, these service-linked Config rules help to ensure consistent governance of your resources, because they prevent unintentional configuration drift that could be caused by manual changes to AWS CloudFormation stack sets or Config rules. + +**Going forward, all AWS Control Tower controls implemented by AWS Config rules will be deployed with this mechanism, which directly calls the AWS Config APIs.** + +###### Important + +Before you adopt service-linked Config rules, review the existing customizations, such as remediations, that you have made to Config rules outside of AWS Control Tower, because these customizations will be removed during the transition. The AWS Config APIs do not support adding remediation configurations for service-linked AWS Config rules. See [`PutRemediationConfigurations`](https://docs.aws.amazon.com/config/latest/APIReference/API_PutRemediationConfigurations.html). + +###### Details and action required + + * When you **Update** or **Reset** your landing zone, AWS Control Tower updates the **Mandatory** controls that govern the Security OU. To complete the upgrade, you also must **Reset** each of the detective controls that are implemeneted with AWS Config rules, or **Re-register** the OU. + + * The full scope of this upgrade applies to you if your AWS Control Tower landing zone version is 3.2 or above. When you apply this update, your existing AWS Config rules are changed to become service-managed Config rules, along with the new deployment method. + + * If your landing zone is version 3.1 or below, any new Config rules will be deployed with the new method, no longer with Stack Sets. Your existing Config rules are NOT updated to become service-managed Config rules. They will remain of the standard type. + + * You can identify service-linked config rules by their resource ARN, which has the form: + + arn:aws:config:*:*:config-rule/aws-service-rule/controltower.*/* + + + + +The intended functionality of controls, when implemented by service-linked AWS Config rules, has not changed. The detective, service-linked Config rules in AWS Control Tower can identify non-compliant resources within your accounts, such as policy violations, and provide alerts through the dashboard. To maintain consistency, prevent configuration drift, and simplify your overall user experience, these rules now can be modified only through AWS Control Tower. + +As part of this release, we added four new permissions to the policy for the service-linked role (SLR) [`AWSServiceRoleForAWSControlTower`](https://docs.aws.amazon.com/controltower/latest/userguide/access-control-managing-permissions.html#AWSServiceRoleForAWSControlTower), so that you can enable and disable service-linked AWS Config rules for your enrolled accounts. + + + config:DescribeConfigRules + config:TagResource + config:PutConfigRule + config:DeleteConfigRule +