AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-10-19 · Documentation low

File: controltower/latest/userguide/terminology.md

Summary

Clarified preventive controls by adding RCPS and declarative policies, introduced proactive controls via AWS CloudFormation hooks, and updated account enrollment wording.

Security assessment

The changes expand documentation about preventive controls (SCPs, RCPS, declarative policies) and introduce proactive controls (CloudFormation hooks), which are security features. However, there is no evidence these changes address a specific security vulnerability; they primarily enhance clarity about existing security mechanisms.

Diff

diff --git a/controltower/latest/userguide/terminology.md b/controltower/latest/userguide/terminology.md
index 654444682..ea0aa0079 100644
--- a//controltower/latest/userguide/terminology.md
+++ b//controltower/latest/userguide/terminology.md
@@ -43 +43 @@ First, it's good to know that AWS Control Tower shares a lot of terminology with
-    * Preventive controls enabled on the OU apply to all accounts within it, including unenrolled ones. This is true because preventive controls are enforced with SCPs at the OU level, not the account level. For more information, see [Inheritance for service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html) in the AWS Organizations documentation.
+    * Preventive controls enabled on (or inherited by) the OU apply to all accounts within it, including unenrolled ones. This is true because preventive controls are enforced with SCPs, RCPS, or declarative policies at the OU level, not the account level. For more information, see [Inheritance for service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html) in the AWS Organizations documentation.
@@ -46,0 +47,2 @@ First, it's good to know that AWS Control Tower shares a lot of terminology with
+    * Proactive controls are implmented by AWS CloudFormation hooks. These controls do not apply to unenrolled accounts in an OU.
+
@@ -49 +51 @@ An account can be a member of only one organization at a time, and its charges a
-  * **AWS account:** An AWS account acts as a resource container and resource isolation boundary. An AWS account can be associated with billing and payment. An AWS account is different than a user account (sometimes called an [IAM user account](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html#setting-up-iam)) in AWS Control Tower. Accounts created through the Account Factory provisioning process are AWS accounts. AWS accounts also can be added to AWS Control Tower by means of the account enrollment or OU registration process.
+  * **AWS account:** An AWS account acts as a resource container and resource isolation boundary. An AWS account can be associated with billing and payment. An AWS account is different than a user account (sometimes called an [IAM user account](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html#setting-up-iam)) in AWS Control Tower. Accounts created through the Account Factory provisioning process are AWS accounts. AWS accounts also can be added to AWS Control Tower by means of an account enrollment or OU registration process.