AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-11-19 · Documentation low

File: controltower/latest/userguide/af-customization-page.md

Summary

Updated documentation to use 'CloudFormation' instead of 'AWS CloudFormation' throughout the document for consistency in service naming

Security assessment

The changes are purely branding/naming convention updates (removing 'AWS' prefix from CloudFormation references). No security vulnerabilities, mitigations, or new security features are introduced. The existing security context about proactive controls and permission restrictions remains unchanged in substance.

Diff

diff --git a/controltower/latest/userguide/af-customization-page.md b/controltower/latest/userguide/af-customization-page.md
index aa571b27e..14f69b8c3 100644
--- a//controltower/latest/userguide/af-customization-page.md
+++ b//controltower/latest/userguide/af-customization-page.md
@@ -13 +13 @@ AWS Control Tower allows you to customize new and existing AWS accounts when you
-Your customized accounts are provisioned in the AWS Control Tower Account Factory, through AWS CloudFormation templates, or with Terraform. You'll define a template that serves as customized account _blueprint_. Your blueprint describes the specific resources and configurations you require when an account is provisioned. Pre-defined blueprints, built and managed by AWS partners, also are available. For more information about partner-managed blueprints, see the [AWS Service Catalog Getting Started Library](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getting-started-library.html).
+Your customized accounts are provisioned in the AWS Control Tower Account Factory, through CloudFormation templates, or with Terraform. You'll define a template that serves as customized account _blueprint_. Your blueprint describes the specific resources and configurations you require when an account is provisioned. Pre-defined blueprints, built and managed by AWS partners, also are available. For more information about partner-managed blueprints, see the [AWS Service Catalog Getting Started Library](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getting-started-library.html).
@@ -25 +25 @@ Your account blueprints are stored in an AWS account, which for our purposes is
-AWS Control Tower contains _proactive controls_ , which monitor AWS CloudFormation resources in AWS Control Tower. Optionally, you can activate these controls in your landing zone. When you apply proactive controls, they check to make sure that the resources you're about to deploy to your accounts are compliant with your organization's policies and procedures. For more information about proactive controls, see [Proactive controls](https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html).
+AWS Control Tower contains _proactive controls_ , which monitor CloudFormation resources in AWS Control Tower. Optionally, you can activate these controls in your landing zone. When you apply proactive controls, they check to make sure that the resources you're about to deploy to your accounts are compliant with your organization's policies and procedures. For more information about proactive controls, see [Proactive controls](https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html).
@@ -153 +153 @@ The following workarounds are available:
-When you enable a blueprint through account factory, AWS Control Tower directs AWS CloudFormation to create a StackSet on your behalf. AWS CloudFormation requires access to your managed account to create AWS CloudFormation stacks in the StackSet. Although AWS CloudFormation already has administrator privileges in the managed account through the `AWSControlTowerExecution` role, this role is not assumable by AWS CloudFormation.
+When you enable a blueprint through account factory, AWS Control Tower directs CloudFormation to create a StackSet on your behalf. CloudFormation requires access to your managed account to create CloudFormation stacks in the StackSet. Although CloudFormation already has administrator privileges in the managed account through the `AWSControlTowerExecution` role, this role is not assumable by CloudFormation.
@@ -155 +155 @@ When you enable a blueprint through account factory, AWS Control Tower directs A
-As part of enabling a blueprint, AWS Control Tower creates a role in the member account, which AWS CloudFormation may assume to complete the StackSet management tasks. The simplest way to enable your customized blueprint through account factory is to use an _allow-all_ policy, because those policies are compatible with any blueprint template.
+As part of enabling a blueprint, AWS Control Tower creates a role in the member account, which CloudFormation may assume to complete the StackSet management tasks. The simplest way to enable your customized blueprint through account factory is to use an _allow-all_ policy, because those policies are compatible with any blueprint template.
@@ -157 +157 @@ As part of enabling a blueprint, AWS Control Tower creates a role in the member
-However, best practices suggest that you must restrict the permissions for AWS CloudFormation in the target account. You can provide a customized policy, which AWS Control Tower applies to the role it creates for AWS CloudFormation to use. For example, if your blueprint creates an SSM Parameter called _something-important_ , you could provide the following policy:
+However, best practices suggest that you must restrict the permissions for CloudFormation in the target account. You can provide a customized policy, which AWS Control Tower applies to the role it creates for CloudFormation to use. For example, if your blueprint creates an SSM Parameter called _something-important_ , you could provide the following policy:
@@ -190 +190 @@ JSON
-The `AllowCloudFormationActionsOnStacks` statement is required for all AFC custom policies; AWS CloudFormation uses this role to create stack instances, therefore it requires permission to perform AWS CloudFormation actions on stacks. The `AllowSsmParameterActions` section is specific to the template being enabled.
+The `AllowCloudFormationActionsOnStacks` statement is required for all AFC custom policies; CloudFormation uses this role to create stack instances, therefore it requires permission to perform CloudFormation actions on stacks. The `AllowSsmParameterActions` section is specific to the template being enabled.
@@ -194 +194 @@ The `AllowCloudFormationActionsOnStacks` statement is required for all AFC custo
-When you enable a blueprint with a restricted policy, you may find that there are insufficient permissions to enable the blueprint. To resolve these issues, revise your policy document and update the member account's blueprint preferences to use the corrected policy. To check that the policy is sufficient to enable the blueprint, ensure that the AWS CloudFormation permissions are granted, and that you can create a stack directly using that role.
+When you enable a blueprint with a restricted policy, you may find that there are insufficient permissions to enable the blueprint. To resolve these issues, revise your policy document and update the member account's blueprint preferences to use the corrected policy. To check that the policy is sufficient to enable the blueprint, ensure that the CloudFormation permissions are granted, and that you can create a stack directly using that role.
@@ -267 +267 @@ This change effects existing accounts that you created or enrolled with AWS Cont
-  5. Going forward, all accounts created or enrolled using AWS Control Tower account factory customization must reference blueprints using the _AWS CloudFormation_ or _External_ product type. 
+  5. Going forward, all accounts created or enrolled using AWS Control Tower account factory customization must reference blueprints using the _CloudFormation_ or _External_ product type.