AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-11-22 · Documentation low

File: controltower/latest/userguide/managed-policies-table.md

Summary

Updated documentation for AWSControlTowerServiceRolePolicy, introduced AWSControlTowerCloudTrailRolePolicy, and expanded AWSControlTowerAccountServiceRolePolicy permissions. Changes include broader CloudTrail log group management, automated policy updates for CloudTrail integration, and new AWS Config/Organizations permissions.

Security assessment

The changes enhance logging capabilities (CloudTrail integration) and expand monitoring permissions (AWS Config/Organizations), which improve security posture. However, there is no explicit mention of addressing a specific vulnerability or security incident.

Diff

diff --git a/controltower/latest/userguide/managed-policies-table.md b/controltower/latest/userguide/managed-policies-table.md
index b3ad42629..60117c161 100644
--- a//controltower/latest/userguide/managed-policies-table.md
+++ b//controltower/latest/userguide/managed-policies-table.md
@@ -10,0 +11,11 @@ Change | Description | Date
+[AWSControlTowerServiceRolePolicy](./access-control-managing-permissions.html#AWSControlTowerServiceRolePolicy) – Updated managed policy |  AWS Control Tower updated the Amazon CloudWatch Logs resource pattern in the AWSControlTowerServiceRolePolicy to support Landing Zone 4.0's optional AWS CloudTrail integration. The pattern changed from `aws-controltower/CloudTrailLogs:*` to `aws-controltower/CloudTrailLogs*:*`, adding a wildcard character after `CloudTrailLogs` to allow management of log groups with any suffix. This update enables Landing Zone 4.0's optional AWS CloudTrail integration, which allows customers to enable and disable AWS CloudTrail integration multiple times. Each time the integration is enabled, Amazon CloudWatch Logs log groups are recreated with unique suffixes to avoid naming conflicts. The update is backward compatible with existing deployments. | October 31, 2025  
+[AWSControlTowerCloudTrailRolePolicy](./access-control-managing-permissions.html#AWSControlTowerCloudTrailRolePolicy) – New managed policy |  AWS Control Tower introduced the AWSControlTowerCloudTrailRolePolicy managed policy, which allows CloudTrail to create log streams and publish log events to Control Tower-managed Amazon CloudWatch Logs log groups. This managed policy replaces the inline policy previously used by the AWSControlTowerCloudTrailRole, enabling AWS to update the policy without customer intervention. The policy is scoped to log groups with names matching the pattern `aws-controltower/CloudTrailLogs*`. | October 31, 2025  
+[AWSControlTowerAccountServiceRolePolicy](./access-control-managing-permissions.html#account-service-role-policy) – Update to an existing policy |  AWS Control Tower added a new policy that extends the following permissions:
+
+  * AWS Config permissions to create, tag, delete, manage, and read service-linked configuration aggregator
+  * AWS Config permissions to describe all configuration aggregators
+  * AWS Organizations permission to list delegated administrators for AWS Config
+  * AWS Organizations permission to describe organization
+  * CloudFormation permissions to manage service-linked hooks
+
+| November 10, 2025