AWS Security ChangesHomeSearch

AWS prescriptive-guidance high security documentation change

Service: prescriptive-guidance · 2025-06-13 · Security-related high

File: prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.md

Summary

Added examples for S3 and Secrets Manager controls with parameters and exemption configurations

Security assessment

Documented security controls like CT.S3.PV.5 (S3 security) and CT.SECRETSMANAGER.PV.1 (Secrets Manager protection) with exemption parameters. These controls directly address data protection and access management security concerns, though exemption configurations require careful review.

Diff

diff --git a/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.md b/prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.md
index 8a38fee21..35cd2b268 100644
--- a//prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.md
+++ b//prescriptive-guidance/latest/patterns/deploy-and-manage-aws-control-tower-controls-by-using-terraform.md
@@ -39,2 +38,0 @@ This pattern is recommended for users who have experience with AWS Control Tower
-  * Apply the service control policy (SCP)-based control with the identifier **CT.CLOUDFORMATION.PR.1**. This SCP must be activated to deploy proactive controls. For instructions, see [Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry](https://docs.aws.amazon.com/controltower/latest/userguide/elective-controls.html#disallow-cfn-extensions).
-
@@ -240,0 +239,2 @@ The following is an example of an updated **variables.tfvars** file. This sample
+The following example also enables controls that have parameters such as **CT.S3.PV.5** (global ID: `7mo7a2h2ebsq71l8k6uzr96ou`) and **CT.SECRETSMANAGER.PV.1** (global ID: `dvhe47fxg5o6lryqrq9g6sxg4`). For a list of controls with parameters, see [Controls with parameters](https://docs.aws.amazon.com/controltower/latest/controlreference/control-parameter-concepts.html) in the AWS Control Tower documentation.
+    
@@ -245 +245 @@ The following is an example of an updated **variables.tfvars** file. This sample
-                "503uicglhjkokaajywfpt6ros",
+                "503uicglhjkokaajywfpt6ros", # AWS-GR_ENCRYPTED_VOLUMES
@@ -252 +252 @@ The following is an example of an updated **variables.tfvars** file. This sample
-                "50z1ot237wl8u1lv5ufau6qqo",
+                "50z1ot237wl8u1lv5ufau6qqo", # AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
@@ -258,0 +259,36 @@ The following is an example of an updated **variables.tfvars** file. This sample
+    controls_with_params = [
+      {
+        control_names = [
+          { "7mo7a2h2ebsq71l8k6uzr96ou" = { # CT.S3.PV.5
+            parameters = {
+              "ExemptedPrincipalArns" : ["arn:aws:iam::*:role/RoleName"],
+              "ExemptedResourceArns" : [],
+            }
+          } },
+          { "dvhe47fxg5o6lryqrq9g6sxg4" = { # CT.SECRETSMANAGER.PV.1
+            parameters = {
+              "ExemptedPrincipalArns" : ["arn:aws:iam::*:role/RoleName"],
+            }
+          } },
+          ...
+        ],
+        organizational_unit_ids = ["ou-1111-11111111"...]
+      },
+      {
+        control_names = [
+          { "dvuaav61i5cnfazfelmvn9m6k" = { # AWS-GR_DISALLOW_CROSS_REGION_NETWORKING
+            parameters = {
+              "ExemptedPrincipalArns" : ["arn:aws:iam::*:role/RoleName"],
+            }
+          } },
+          { "41ngl8m5c4eb1myoz0t707n7h" = { # AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
+            parameters = {
+              "ExemptedPrincipalArns" : ["arn:aws:iam::*:role/RoleName"],
+            }
+          } },
+          ...
+        ],
+        organizational_unit_ids = ["ou-2222-22222222"...]
+      }
+    ] 
+