AWS controltower documentation change
Summary
Added documentation for new AWSControlTowerIdentityCenterManagementPolicy and updated AWSControlTowerServiceRolePolicy with CloudFormation permissions for auto-enrollment
Security assessment
The changes document IAM policies related to account enrollment and drift remediation. While these policies govern security-related permissions, there is no evidence of addressing a specific vulnerability or incident. The updates focus on enabling new functionality (Identity Center configuration and auto-enrollment workflows).
Diff
diff --git a/controltower/latest/userguide/managed-policies-table.md b/controltower/latest/userguide/managed-policies-table.md index dc14092b9..d179a2989 100644 --- a//controltower/latest/userguide/managed-policies-table.md +++ b//controltower/latest/userguide/managed-policies-table.md @@ -10,0 +11,2 @@ Change | Description | Date +[AWSControlTowerIdentityCenterManagementPolicy](./access-control-managing-permissions.html#AWSControlTowerIdentityCenterManagementPolicy) – A new policy | AWS Control Tower added a new policy that allows customers to configure IAM Identity Center resources in accounts that are enrolled in AWS Control Tower, and it allows AWS Control Tower to remediate some types of drift when auto-enrolling accounts. This change is needed so that customers can configure IAM Identity Center in AWS Control Tower, and so that AWS Control Tower can remediate auto-enrollment drift. | October 10, 2025 +[AWSControlTowerServiceRolePolicy](./access-control-managing-permissions.html#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new AWS CloudFormation permissions that allow AWS Control Tower to query and deploy stack set resources into member accounts when auto-enrolling the accounts into AWS Control Tower. | October 10, 2025