AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-08-13 · Documentation medium

File: controltower/latest/userguide/2023-all.md

Summary

Updated release notes for landing zone versions 3.2 and 3.1 with details about new service-linked roles, Security Hub integration for control drift detection, updates to Region Deny policies, and logging configuration changes.

Security assessment

The changes document security improvements such as a new least-privilege service-linked role (AWSServiceRoleForAWSControlTower) for secure operations, Security Hub integration for drift detection, and guidance on suppressing Security Hub findings related to S3 logging configurations. While these enhance security practices, there's no explicit evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/controltower/latest/userguide/2023-all.md b/controltower/latest/userguide/2023-all.md
index b05f6443c..1d52e092a 100644
--- a//controltower/latest/userguide/2023-all.md
+++ b//controltower/latest/userguide/2023-all.md
@@ -339 +339 @@ The deprecated controls are no longer available in any AWS Region.
-**July 20, 2023**
+**June 16, 2023**
@@ -343 +343,50 @@ The deprecated controls are no longer available in any AWS Region.
-AWS Control Tower has released landing zone version 3.2. This version includes updates to the AWS Control Tower landing zone that improve the security and reliability of your AWS Control Tower environment. For more information about the landing zone version 3.2, see [Release notes](https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html).
+AWS Control Tower landing zone version 3.2 brings the controls that are part of the AWS Security Hub **Service-Managed Standard: AWS Control Tower** to general availability. It introduces the ability to view the drift status of controls that are part of this standard in the AWS Control Tower console.
+
+This update includes a new service-linked role (SLR), called the **AWSServiceRoleForAWSControlTower**. This role assists AWS Control Tower by creating an EventBridge Managed Rule, called the **AWSControlTowerManagedRule** in each member account. This managed rule collects AWS Security Hub **Finding** events, from with AWS Control Tower can determine control drift.
+
+This rule is the first managed rule to be created by AWS Control Tower. The rule is not deployed by a stack; it is deployed directly from the EventBridge APIs. You can view the rule in the EventBridge console, or by means of the EventBridge APIs. If the `managed-by` field is populated, it will show the AWS Control Tower service principal.
+
+Previously, AWS Control Tower assumed the **AWSControlTowerExecution** role to perform operations in member accounts. This new role and rule are better aligned with the best practices principle of allowing least privilege when performing operations in a multi-account AWS environment. The new role provides scoped-down permissions that specifically allow: creating the managed rule in member accounts, maintaining the managed rule, publishing security notifications through SNS, and verifying drift. For more information, see [AWSServiceRoleForAWSControlTower](./access-control-managing-permissions.html#AWSServiceRoleForAWSControlTower).
+
+The landing zone 3.2 update also includes a new StackSet resource in the management account, `BP_BASELINE_SERVICE_LINKED_ROLE`, which initially deploys the service-linked role.
+
+When reporting Security Hub control drift (in landing zone 3.2 and later), AWS Control Tower receives a daily status update from Security Hub. Although controls are active in every governed Region, AWS Control Tower sends the AWS Security Hub **Finding** events to the AWS Control Tower home Region only. For more information, see [Security Hub control drift reporting](https://docs.aws.amazon.com/controltower/latest/controlreference/security-hub-controls.html#sh-drift).
+
+**Update to the Region Deny control**
+
+This landing zone version also includes an update to the Region Deny control.
+
+###### Global services and APIs added
+
+  * AWS Billing and Cost Management (`billing:*`)
+
+  * AWS CloudTrail (`cloudtrail:LookupEvents`) to allow visibility of global events in member accounts.
+
+  * AWS Consolidated Billing (`consolidatedbilling:*`)
+
+  * AWS Management Console Mobile Application (`consoleapp:*`)
+
+  * AWS Free Tier (`freetier:*`)
+
+  * AWS Invoicing (`invoicing:*`)
+
+  * AWS IQ (`iq:*`)
+
+  * AWS User Notifications (`notifications:*`)
+
+  * AWS User Notifications Contacts (`notifications-contacts:*`)
+
+  * Amazon Payments (`payments:*`)
+
+  * AWS Tax Settings (`tax:*`)
+
+
+
+
+###### Global services and APIs removed
+
+  * Removed `s3:GetAccountPublic` because it is not a valid action.
+
+  * Removed `s3:PutAccountPublic` because it is not a valid action.
+
+
@@ -345 +393,0 @@ AWS Control Tower has released landing zone version 3.2. This version includes u
-Landing zone version 3.2 is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
@@ -447 +495,55 @@ AFC and request tracing are available in all AWS Regions where AWS Control Tower
-**April 20, 2023**
+February 9, 2023
+
+(Update required for AWS Control Tower landing zone to version 3.1. For information, see [Update your landing zone](./update-controltower.html))
+
+AWS Control Tower landing zone version 3.1 includes the following updates:
+
+  * With this release, AWS Control Tower deactivates unnecessary access logging for your _access logging bucket_ , which is the Amazon S3 bucket where access logs are stored in the Log Archive account, while continuing to enable server access logging for S3 buckets. This release also includes updates to the Region Deny control that allow additional actions for global services, such as Support Plans and AWS Artifact. 
+
+  * Deactivation of server access logging for the AWS Control Tower access logging bucket causes Security Hub to create a finding for the Log Archive account's _access logging bucket_ , due to an AWS Security Hub rule, [[S3.9] S3 bucket server access logging should be enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-9). In alignment with Security Hub, we recommend that you suppress this particular finding, as stated in the Security Hub description of this rule. For additional information, see [information about suppressed findings](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-workflow-status.html).
+
+  * Access logging for the (regular) logging bucket in the Log Archive account is unchanged in version 3.1. In alignment with best practices, access events for that bucket are recorded as log entries in the _access logging bucket_. For more information about access logging, see [Logging requests using server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) in the Amazon S3 documentation.
+
+  * We made an update of the Region Deny control. This update allows actions by more global services. For details of this SCP, see [Deny access to AWS based on the requested AWS Region](https://docs.aws.amazon.com/controltower/latest/controlreference/primary-region-deny-policy.html) and [Controls that enhance data residency protection](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html).
+
+**Global services added:**
+
+    * AWS Account Management (`account:*`)
+
+    * AWS Activate (`activate:*`)
+
+    * AWS Artifact (`artifact:*`)
+
+    * AWS Billing Conductor (`billingconductor:*`)
+
+    * AWS Compute Optimizer (`compute-optimizer:*`)
+
+    * AWS Data Pipeline (`datapipeline:GetAccountLimits`)
+
+    * AWS Device Farm(`devicefarm:*`)
+
+    * AWS Marketplace (`discovery-marketplace:*`)
+
+    * Amazon ECR (`ecr-public:*`)
+
+    * AWS License Manager (`license-manager:ListReceivedLicenses`)
+
+    * AWS Lightsail (`lightsail:Get*`)
+
+    * AWS Resource Explorer (`resource-explorer-2:*`)
+
+    * Amazon S3 (`s3:CreateMultiRegionAccessPoint`, `s3:GetBucketPolicyStatus`, `s3:PutMultiRegionAccessPointPolicy`)
+
+    * AWS Savings Plans (`savingsplans:*`)
+
+    * IAM Identity Center (`sso:*`)
+
+    * AWS Support App (`supportapp:*`)
+
+    * Support Plans (`supportplans:*`)
+
+    * AWS Sustainability (`sustainability:*`)
+
+    * AWS Resource Groups Tagging API (`tag:GetResources`)
+
+    * AWS Marketplace Vendor Insights (`vendor-insights:ListEntitledSecurityProfiles`)
@@ -449 +550,0 @@ AFC and request tracing are available in all AWS Regions where AWS Control Tower
-(Update required for AWS Control Tower landing zone to version 3.1. For information, see [Update your landing zone](./update-controltower.html)).
@@ -451 +551,0 @@ AFC and request tracing are available in all AWS Regions where AWS Control Tower
-AWS Control Tower has released landing zone version 3.1. This version includes updates to the AWS Control Tower landing zone that improve the security and reliability of your AWS Control Tower environment. For more information about the landing zone version 3.1, see [Release notes](https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html).
@@ -453 +552,0 @@ AWS Control Tower has released landing zone version 3.1. This version includes u
-Landing zone version 3.1 is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).