AWS govcloud-us documentation change
Summary
Corrected documentation links, fixed typos, updated control scope to exclude CloudFront and Global Accelerator from a networking control, and clarified permissions syntax for GovCloud regions.
Security assessment
The change narrows the scope of the 'Disallow cross-region networking' control to EC2 only, improving documentation accuracy for security controls. It also clarifies the use of `controltower:EnableControl` and `controltower:DisableControl` permissions in GovCloud, ensuring proper access management. While these updates enhance security documentation clarity, there is no evidence they address a specific vulnerability or exploit.
Diff
diff --git a/govcloud-us/latest/UserGuide/govcloud-controltower.md b/govcloud-us/latest/UserGuide/govcloud-controltower.md index 6167f4a42..44681177e 100644 --- a//govcloud-us/latest/UserGuide/govcloud-controltower.md +++ b//govcloud-us/latest/UserGuide/govcloud-controltower.md @@ -11 +11 @@ AWS Control Tower offers a straightforward way to set up and govern an AWS multi -You can utilize AWS Control Tower with workloads that require FedRAMP High categorization level in the AWS GovCloud (US) Regions. AWS Control Tower is [in scope for numerous compliance programs and standards](https://aws.amazon.com/compliance/services-in-scope/), including HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry – Data Security Standard), ISO (International Organization for Standardization), SOC 1, 2, and 3 (System and Organization Controls). To learn more, visit the [AWS Control Tower homepage](https://aws.amazon.com/controltower/) or see the [_AWS Control Tower User Guide_](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html). +You can utilize AWS Control Tower with workloads that require FedRAMP High categorization level in the AWS GovCloud (US) Regions. AWS Control Tower is [in scope for numerous compliance programs and standards](https://aws.amazon.com/compliance/services-in-scope/), including HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry – Data Security Standard), ISO (International Organization for Standardization), SOC 1, 2, and 3 (System and Organization Controls). To learn more, visit the [AWS Control Tower homepage](https://aws.amazon.com/controltower/) or see the [AWS Control Tower User Guide](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html). @@ -15 +15 @@ You can utilize AWS Control Tower with workloads that require FedRAMP High categ -The following list details the differences for using this service in the AWS GovCloud (US) Region compared to other AWS Regions: +The following list details the differences for using this service in the AWS GovCloud (US) Regions compared to other AWS Regions: @@ -68 +68 @@ Certain controls include functionality that has no effect in AWS GovCloud (US) R - * [Disallow cross-region networking for Amazon EC2, Amazon CloudFront, and AWS Global Accelerator](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#prevent-cross-region-networking) + * [Disallow cross-region networking for Amazon EC2](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#prevent-cross-region-networking) @@ -112 +112 @@ This capability builds on the existing FedRamp High categorization level, as wel -If your workload operates in AWS and AWS GovCloud (US) Regions, you may notice a difference in behavior, for the same policy. The `controltower:EnableGuardrail` and `controltower:DisableGuardrail` permissions don't exist in AWS GovCloud (US) Regions, and so they won't have any effect in your policies. Use `controltower:EnableControl` and `controltower:DisableControl` permissions instead to control access to **EnableControl** and **DisableControl** APIs. +If your workload operates in AWS and AWS GovCloud (US) Regions, you may notice a difference in behavior, for the same policy. The `controltower:EnableGuardrail` and `controltower:DisableGuardrail` permissions don’t exist in AWS GovCloud (US) Regions, and so they won’t have any effect in your policies. Use `controltower:EnableControl` and `controltower:DisableControl` permissions instead to control access to **EnableControl** and **DisableControl** APIs. @@ -125 +125 @@ The account in the commercial Region is a member of the organization whose crede -Before creating accounts in the AWS GovCloud (US) Regions from AWS Control Tower, make sure that you meet specific U.S. regulatory requirements as described in [Signing Up for AWS GovCloud (US).](https://docs.aws.amazon.com//govcloud-us/latest/ug-west/getting-started-sign-up.html) +Before creating accounts in the AWS GovCloud (US) Regions from AWS Control Tower, make sure that you meet specific U.S. regulatory requirements as described in [Signing Up for AWS GovCloud (US).](https://docs.aws.amazon.com/govcloud-us/latest/ug-west/getting-started-sign-up.html) @@ -180 +180 @@ The following diagram shows how account access works, so that you can invite sta -For more information, see the procedure described in [Sending Invitations to AWS Accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html#orgs_manage_accounts_invite-account) in the [AWS Organizations User Guide ](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_introduction.html) to invite the account in the AWS GovCloud (US) Regions to the AWS GovCloud (US) organization. +For more information, see the procedure described in [Sending Invitations to AWS Accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html#orgs_manage_accounts_invite-account) in the [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) to invite the account in the AWS GovCloud (US) Regions to the AWS GovCloud (US) organization. @@ -184 +184 @@ For more information, see the procedure described in [Sending Invitations to AWS -Here's an overview and a recommended sequence of steps for setting up an AWS Control Tower landing zone in AWS GovCloud (US) Regions. It is slightly different than the process for commercial Regions, because of the way you must create accounts. +Here’s an overview and a recommended sequence of steps for setting up an AWS Control Tower landing zone in AWS GovCloud (US) Regions. It is slightly different than the process for commercial Regions, because of the way you must create accounts. @@ -188 +188 @@ Here's an overview and a recommended sequence of steps for setting up an AWS Con - 1. **In the commercial Region** : Create the two AWS accounts you'll require in AWS GovCloud (US), which will become log archive and audit accounts for your AWS GovCloud (US) organization. + 1. **In the commercial Region** : Create the two AWS accounts you’ll require in AWS GovCloud (US), which will become log archive and audit accounts for your AWS GovCloud (US) organization. @@ -194 +194 @@ Here's an overview and a recommended sequence of steps for setting up an AWS Con - 4. **In the AWS GovCloud (US) home Region** : Follow the procedure to set up AWS Control Tower in an existing organization. Specify the two existing accounts, which you've already created in the first step and just invited to your organization, as your audit and log archive accounts. + 4. **In the AWS GovCloud (US) home Region** : Follow the procedure to set up AWS Control Tower in an existing organization. Specify the two existing accounts, which you’ve already created in the first step and just invited to your organization, as your audit and log archive accounts. @@ -205 +205 @@ Here's an overview and a recommended sequence of steps for setting up an AWS Con -After you've performed these tasks, it's a good idea to check the guardrails (also called controls) that are enabled on your OUs, and apply any optional controls that are applicable to your business requirements. +After you’ve performed these tasks, it’s a good idea to check the guardrails (also called controls) that are enabled on your OUs, and apply any optional controls that are applicable to your business requirements.