AWS controltower documentation change
Summary
Updated terminology from 'SCP scans' to 'policys scans' (likely policy scans), added references to RCPs and Declarative policies in drift detection, removed redundant SCP attachment sections, and clarified guidance about OU deletions and shared account management.
Security assessment
The changes expand documentation about policy types (SCPs, RCPs, Declarative) monitored for drift, which relates to security controls. However, there's no evidence of addressing a specific vulnerability. The OU/shared account clarifications improve governance practices but don't directly resolve a security flaw.
Diff
diff --git a/controltower/latest/userguide/drift.md b/controltower/latest/userguide/drift.md index f95c18cda..4607b2290 100644 --- a//controltower/latest/userguide/drift.md +++ b//controltower/latest/userguide/drift.md @@ -5 +5 @@ -Detecting driftConsiderations about drift and SCP scansTypes of drift to resolve right awayRepairable changes to resourcesDrift and new account provisioning +Detecting driftConsiderations about drift and policys scansTypes of drift to resolve right awayRepairable changes to resourcesDrift and new account provisioning @@ -55,2 +54,0 @@ When you move an account from one OU to another, the controls from the previous - * SCP attached to OU - @@ -59,2 +56,0 @@ When you move an account from one OU to another, the controls from the previous - * SCP attached to account - @@ -66 +62 @@ For more information, see [Types of Governance Drift](https://docs.aws.amazon.co -## Considerations about drift and SCP scans +## Considerations about drift and policys scans @@ -68 +64 @@ For more information, see [Types of Governance Drift](https://docs.aws.amazon.co -AWS Control Tower scans your managed SCPs daily to verify that the corresponding controls are applied correctly and that they have not drifted. To retrieve the SCPs and run checks on them, AWS Control Tower calls AWS Organizations on your behalf, using a role in your management account. +AWS Control Tower scans your managed SCPs, RCPs, and Declarative policies daily to verify that the corresponding controls are applied correctly and that they have not drifted. To retrieve these resources and run checks on them, AWS Control Tower calls AWS Organizations on your behalf, using a role in your management account. @@ -72 +68 @@ If an AWS Control Tower scan discovers drift, you'll receive a notification. AWS -AWS Organizations limits how often each of its APIs can be called. This limit is expressed in transactions per second (TPS), and known as the _TPS limit_ , _throttling rate_ , or _API request rate_. When AWS Control Tower audits your SCPs by calling AWS Organizations, the API calls that AWS Control Tower makes are counted towards your TPS limit, because AWS Control Tower uses the management account to make the calls. +AWS Organizations limits how often each of its APIs can be called. This limit is expressed in transactions per second (TPS), and known as the _TPS limit_ , _throttling rate_ , or _API request rate_. When AWS Control Tower audits your SCPs, RCPs, and Dseclarative policies by calling AWS Organizations, the API calls that AWS Control Tower makes are counted towards your TPS limit, because AWS Control Tower uses the management account to make the calls. @@ -108 +104 @@ For more information about these roles, see [Permissions Required to use the AWS - * _Don't delete all Additional OUs:_ If you delete the organizational unit originally named **Sandbox** during landing zone setup by AWS Control Tower, your landing zone will be in a state of drift, but you still can use AWS Control Tower. At least one Additional OU is required for AWS Control Tower to operate, but it doesn’t have to be the **Sandbox** OU. + * _Don't delete all Additional OUs:_ At least one Additional OU is required for AWS Control Tower to operate, but it doesn’t have to be the **Sandbox** OU. @@ -110 +106 @@ For more information about these roles, see [Permissions Required to use the AWS - * _Don't remove shared accounts:_ If you remove shared accounts from Foundational OUs, such as removing the logging account from the Security OU, your landing zone will be in a state of drift. The landing zone must be reset before you can continue using the AWS Control Tower console. + * _Don't remove shared accounts:_ If you remove shared accounts from Foundational OUs with the AWS Organizations console or APIs, such as removing the logging account from the Security OU, your landing zone will be in a state of drift. The landing zone must be reset before you can continue using the AWS Control Tower console. You can move an Audit or Log Archive account out of the Foundational OU, but still inside an AWS Control Tower OU, without causing drift.