AWS controltower documentation change
Summary
Restructured documentation to focus on account creation workflow, removed detailed sections about shared accounts (audit/log archive), added step-by-step account provisioning process, and linked to AWS Organizations security best practices.
Security assessment
Added references to AWS Organizations' security best practices for management/member accounts. However, the removal of specific S3 bucket policy details (aws:SourceOrgID condition) reduces visibility into a security control but doesn't directly indicate a vulnerability. The changes emphasize general security guidance rather than addressing a specific vulnerability.
Diff
diff --git a/controltower/latest/userguide/accounts.md b/controltower/latest/userguide/accounts.md index 8a04fd0e9..a318b6ac1 100644 --- a//controltower/latest/userguide/accounts.md +++ b//controltower/latest/userguide/accounts.md @@ -5 +5 @@ -Considerations for bringing existing security or logging accountsAbout the shared accounts +What happens when AWS Control Tower creates an accountConsiderations for bringing existing security or logging accounts @@ -13 +13 @@ An AWS account is the container for all your owned resources. These resources in -When AWS Control Tower creates or enrolls an account, it deploys the minimum necessary resource configuration for the account, including resources in the form of [Account Factory templates](https://docs.aws.amazon.com/controltower/latest/userguide/account-factory-considerations.html) and other resources in your landing zone. These resources may include IAM roles, AWS CloudTrail trails, [Service Catalog provisioned products](https://docs.aws.amazon.com/servicecatalog/latest/userguide/enduser-dashboard.html), and IAM Identity Center users. AWS Control Tower also deploys resources, as required by the control configuration, for the organizational unit (OU) in which the new account is destined to become a member account. +When AWS Control Tower creates or enrolls an account, it deploys the minimum necessary resource configuration for the account. For example, it may include resources in the form of [Account Factory templates](https://docs.aws.amazon.com/controltower/latest/userguide/account-factory-considerations.html) and other resources in your landing zone, such as IAM roles, AWS CloudTrail trails, [Service Catalog provisioned products](https://docs.aws.amazon.com/servicecatalog/latest/userguide/enduser-dashboard.html), and IAM Identity Center users. AWS Control Tower also deploys resources, as required by the control configuration, for the organizational unit (OU) in which the new account is destined to become a member account. @@ -17,20 +17 @@ AWS Control Tower orchestrates the deployment of these resources on your behalf. -## Considerations for bringing existing security or logging accounts - -Before accepting an AWS account as a security or logging account, AWS Control Tower checks the account for resources that conflict with AWS Control Tower requirements. For example, you may have a logging bucket with the same name that AWS Control Tower requires. Also, AWS Control Tower validates that the account can provision resources; for example, by ensuring that AWS Security Token Service (AWS STS) is enabled, that the account is not suspended, and that AWS Control Tower has permission to provision resources within the account. - -AWS Control Tower does not remove any existing resources in the logging and security accounts that you provide. However, if you choose to enable the AWS Region deny capability, the Region deny control prevents access to resources in denied Regions. - -## About the shared accounts - -Three special AWS accounts are associated with AWS Control Tower; the management account, the **audit** account, and the **log archive** account. These accounts usually are referred to as _shared accounts_ , or sometimes as _core accounts_. - - * You can select customized names for the audit and log archive accounts when you're setting up your landing zone. For information about changing an account name, see [Externally changing AWS Control Tower resource names](https://docs.aws.amazon.com/controltower/latest/userguide/external-resources.html#changing-names). - - * You also can specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process. This option eliminates the need for AWS Control Tower to create new, shared accounts. (This is a one-time selection.) - - - - -For more information about the shared accounts and their associated resources, see [Resources created in the shared accounts](./shared-account-resources.html). - -### Management account +## What happens when AWS Control Tower creates an account @@ -38 +19 @@ For more information about the shared accounts and their associated resources, s -This AWS account launches AWS Control Tower. By default, the root user for this account and the IAM user or IAM administrator user for this account have full access to all resources within your landing zone. +New accounts in AWS Control Tower are created and then provisioned by an interaction among AWS Control Tower, AWS Organizations, and AWS Service Catalog. You can create accounts and enroll existing accounts from the AWS Control Tower console. For detailed steps to enroll an existing AWS account using the AWS Control Tower console, see [Enroll an existing account from the AWS Control Tower console](./quick-account-provisioning.html). @@ -40 +21 @@ This AWS account launches AWS Control Tower. By default, the root user for this -###### Note +###### Behind the scenes of account creation @@ -42 +23 @@ This AWS account launches AWS Control Tower. By default, the root user for this -As a best practice, we recommend signing in as an IAM Identity Center user with **Administrator** privileges when performing administrative functions within the AWS Control Tower console, instead of the signing in as the root user or IAM administrator user for this account. + 1. You initiate the request, for example, from the AWS Control Tower Account Factory page, or directly from the AWS Service Catalog console, or by calling the Service Catalog `ProvisionProduct` API. @@ -44 +25 @@ As a best practice, we recommend signing in as an IAM Identity Center user with -For more information about the roles and resources available in the management account, see [Resources created in the shared accounts](./shared-account-resources.html). + 2. AWS Service Catalog calls AWS Control Tower. @@ -46 +27 @@ For more information about the roles and resources available in the management a -### Log archive account + 3. AWS Control Tower begins a workflow, which as a first step calls the AWS Organizations `CreateAccount` API. @@ -48 +29 @@ For more information about the roles and resources available in the management a -The log archive shared account is set up automatically when you create your landing zone. + 4. After AWS Organizations creates the account, AWS Control Tower completes the provisioning process by applying blueprints and controls. @@ -50 +31 @@ The log archive shared account is set up automatically when you create your land -This account contains a central Amazon S3 bucket for storing a copy of all AWS CloudTrail and AWS Config log files for all other accounts in your landing zone. As a best practice, we recommend restricting log archive account access to teams responsible for compliance and investigations, and their related security or audit tools. This account can be used for automated security audits, or to host custom AWS Config Rules, such as Lambda functions, to perform remediation actions. + 5. Service Catalog continues to poll AWS Control Tower to check for completion of the provisioning process. @@ -52 +33 @@ This account contains a central Amazon S3 bucket for storing a copy of all AWS C -###### Amazon S3 bucket policy + 6. When the workflow in AWS Control Tower is complete, Service Catalog finalizes the account's state and informs you (the requester) of the result. @@ -54 +34,0 @@ This account contains a central Amazon S3 bucket for storing a copy of all AWS C -For AWS Control Tower landing zone version 3.3 and later, accounts must meet an `aws:SourceOrgID` condition for any write permissions to your Audit bucket. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket. For more information, see [AWS Control Tower landing zone version 3.3](./2023-all.html#lz-3-3). @@ -56 +35,0 @@ For AWS Control Tower landing zone version 3.3 and later, accounts must meet an -For more information about the roles and resources available in the log archive account, see [Log archive account resources](./shared-account-resources.html#log-archive-resources) @@ -58 +36,0 @@ For more information about the roles and resources available in the log archive -###### Note @@ -60,20 +38 @@ For more information about the roles and resources available in the log archive -These logs cannot be changed. All logs are stored for the purposes of audit and compliance investigations related to account activity. - -### Audit account - -This shared account is set up automatically when you create your landing zone. - -The audit account should be restricted to security and compliance teams with auditor (read-only) and administrator (full-access) cross-account roles to all accounts in the landing zone. These roles are intended to be used by security and compliance teams to: - - * Perform audits through AWS mechanisms, such as hosting custom AWS Config rule Lambda functions. - - * Perform automated security operations, such as remediation actions. - - - - -The audit account also receives notifications through the Amazon Simple Notification Service (Amazon SNS) service. Three categories of notification can be received: - - * **All Configuration Events** – This topic aggregates all CloudTrail and AWS Config notifications from all accounts in your landing zone. - - * **Aggregate Security Notifications** – This topic aggregates all security notifications from specific CloudWatch events, AWS Config Rules compliance status change events, and GuardDuty findings. +## Considerations for bringing existing security or logging accounts @@ -81 +40 @@ The audit account also receives notifications through the Amazon Simple Notifica - * **Drift Notifications** – This topic aggregates all the drift warnings discovered across all accounts, users, OUs, and SCPs in your landing zone. For more information on drift, see [Detect and resolve drift in AWS Control Tower](./drift.html). +Before accepting an AWS account as a security (default name: **Audit**) or logging (default name: **Log archive**) account, AWS Control Tower checks the account for resources that conflict with AWS Control Tower requirements. For example, you may have a logging bucket with the same name that AWS Control Tower requires. Also, AWS Control Tower validates that the account can provision resources; for example, by ensuring that AWS Security Token Service (AWS STS) is enabled, that the account is not suspended, and that AWS Control Tower has permission to provision resources within the account. @@ -82,0 +42 @@ The audit account also receives notifications through the Amazon Simple Notifica +AWS Control Tower does not remove any existing resources in the logging and security accounts that you provide. However, if you choose to enable it, the AWS Control Tower Region deny control prevents access to resources in denied Regions. @@ -83,0 +44 @@ The audit account also receives notifications through the Amazon Simple Notifica +###### Security for your accounts @@ -84,0 +46 @@ The audit account also receives notifications through the Amazon Simple Notifica +You can find guidance about best practices to protect the security of your AWS Control Tower management account and member accounts in the AWS Organizations documentation. @@ -86 +48 @@ The audit account also receives notifications through the Amazon Simple Notifica -Audit notifications that are triggered within a member account also can send alerts to a local Amazon SNS topic. This functionality allows account administrators to subscribe to audit notifications that are specific to an individual member account. As a result, administrators can resolve issues that affect an individual account, while still aggregating all account notifications to your centralized audit account. For more information, see [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/). + * [Best practices for the management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html) @@ -88 +50 @@ Audit notifications that are triggered within a member account also can send ale -For more information about the roles and resources available in the audit account, see [Audit account resources](./shared-account-resources.html#audit-account-resources). + * [Best practices for member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html) @@ -90 +51,0 @@ For more information about the roles and resources available in the audit accoun -For more information about programmatic auditing, see [Programmatic roles and trust relationships for the AWS Control Tower audit account](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html#stacksets-and-roles). @@ -92 +52,0 @@ For more information about programmatic auditing, see [Programmatic roles and tr -###### Important @@ -94 +53,0 @@ For more information about programmatic auditing, see [Programmatic roles and tr -The email address you provide for the audit account receives **AWS Notification - Subscription Confirmation** emails from every AWS Region supported by AWS Control Tower. To receive compliance emails in your audit account, you must choose the **Confirm subscription** link within each email from each AWS Region supported by AWS Control Tower. @@ -102 +61 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Permissions required +Configure the Region deny control @@ -104 +63 @@ Permissions required -View your accounts +About the shared accounts