AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-11-22 · Documentation low

File: controltower/latest/userguide/config.md

Summary

Added comprehensive documentation for AWS Config Integration in Control Tower 4.0 including Service-Linked Config Aggregator, delegated administration, and migration guidance

Security assessment

The changes describe security-adjacent features like centralized configuration monitoring and IAM access controls, but there is no evidence of addressing a specific security vulnerability. The documentation primarily explains new security capabilities rather than patching a security issue. Enhanced aggregation improves security posture but isn't a direct response to a vulnerability.

Diff

diff --git a/controltower/latest/userguide/config.md b/controltower/latest/userguide/config.md
index 67a406bd2..be2bdcb57 100644
--- a//controltower/latest/userguide/config.md
+++ b//controltower/latest/userguide/config.md
@@ -4,0 +5,2 @@
+AWS Config Integration in Control Tower Landing Zone 4.0
+
@@ -14,0 +17,158 @@ AWS Control Tower uses AWS Config Rules to implement detective controls. For mor
+## AWS Config Integration in Control Tower Landing Zone 4.0
+
+### Service-Linked Config Aggregator (SLCA)
+
+AWS Control Tower now implements a Service-Linked Config Aggregator (SLCA) as part of Landing Zone 4.0+. This change represents a significant improvement in how AWS Config data is aggregated and managed across your organization. 
+
+### Key Changes
+
+**New Service-Linked Config Aggregator Deployment**
+
+  * A Service-Linked Config Aggregator is deployed in your designated AWS Config integration account.
+
+  * For existing customers, this will be your audit account
+
+  * For new customers, this will be the account specified in the manifest's `config.accountId` field
+
+
+
+
+**Delegated Administrator**
+
+  * The AWS Config aggregator account becomes the delegated administrator for AWS Config
+
+  * AWS Control Tower automatically configures the delegated admin settings
+
+  * This enables centralized management of AWS Config across your organization
+
+
+
+
+**Migration from Legacy Aggregators**
+
+During the upgrade to Landing Zone 4.0:
+
+  * The organization aggregator in the management account will be removed.
+
+  * The account aggregator in the audit account will be removed.
+
+  * These are replaced by the new service-linked Config Aggregator in the AWS Config integration aggregator account.
+
+
+
+
+### Enhanced Data Aggregation
+
+The service-linked Config Aggregator provides improved capabilities for Config data aggregation:
+
+  * Can aggregate data from any AWS Config recorder in your organization
+
+  * Includes data from accounts not managed by Control Tower
+
+  * Provides a comprehensive view of configuration items across your organization
+
+  * Supports enhanced data perimeter controls
+
+
+
+
+### Important Considerations
+
+**Delegated Administrator Configuration**
+
+  * AWS Control Tower will use the account specified in your manifest for AWS Config integration
+
+  * This account will be automatically configured as the delegated administrator
+
+  * No additional action is required from customers for this configuration
+
+  * For existing customers, your previous Security Roles integration account (Audit account) will be configured as the AWS Config central aggregator account during Landing Zone 4.0 upgrade
+
+
+
+
+**Data Aggregation Scope**
+
+  * Service-Linked Config Aggregator can aggregate configuration data from:
+
+    * Control Tower managed accounts
+
+    * Non-Control Tower managed accounts
+
+    * Any account with an active Config recorder in your organization
+
+
+
+
+**Access Controls**
+
+  * Access to aggregated data is managed through IAM policies
+
+  * The AWS Config central aggregator account has central access to all aggregated data
+
+  * Member accounts maintain their individual AWS Config recorders
+
+
+
+
+### Best Practices
+
+**Config Central Aggregator Account Selection**
+
+  * Choose an account dedicated to security and compliance monitoring
+
+  * Ensure appropriate access controls are in place
+
+  * Consider using an existing audit or security account
+
+
+
+
+**Data Management**
+
+  * Regularly review aggregated configuration data
+
+  * Implement appropriate retention policies
+
+  * Monitor AWS Config recorder status across accounts
+
+
+
+
+### Migration Impact
+
+When upgrading to Landing Zone 4.0:
+
+**Before Migration**
+
+  * Document existing AWS Config rules and aggregators
+
+  * Review current AWS Config data access patterns
+
+  * Plan for any necessary IAM policy updates
+
+
+
+
+**During Migration**
+
+  * Legacy AWS Config aggregators will be automatically removed
+
+  * Service-Linked Config Aggregator will be deployed
+
+  * Delegated administrator will be configured
+
+
+
+
+**After Migration**
+
+  * Verify Service-Linked Config Aggregator is functioning correctly
+
+  * Confirm data aggregation from member accounts
+
+  * Update monitoring and reporting tools as needed
+
+
+
+