AWS Security ChangesHomeSearch

AWS prescriptive-guidance medium security documentation change

Service: prescriptive-guidance · 2025-11-22 · Security-related medium

File: prescriptive-guidance/latest/designing-control-tower-landing-zone/config-mgmt.md

Summary

Updated AWS Config documentation to reflect changes in Control Tower 4.0, including migration to service-linked configuration aggregator (SLCA), removal of legacy aggregators, and associated control changes.

Security assessment

The change documents the removal of three security controls related to AWS Config resource protection (tag changes, aggregation authorization deletions, and Config rule modifications). However, this is offset by the introduction of service-linked resources that reduce administrative overhead and potential misconfiguration risks. The migration to SLCA represents a security architecture change with implications for compliance monitoring and access controls.

Diff

diff --git a/prescriptive-guidance/latest/designing-control-tower-landing-zone/config-mgmt.md b/prescriptive-guidance/latest/designing-control-tower-landing-zone/config-mgmt.md
index 87b81af55..b61b6c692 100644
--- a//prescriptive-guidance/latest/designing-control-tower-landing-zone/config-mgmt.md
+++ b//prescriptive-guidance/latest/designing-control-tower-landing-zone/config-mgmt.md
@@ -9 +9 @@ Track resource configuration changesView configuration and compliance data
-The AWS Config service enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a detailed view of how your resources are configured, shows how they relate to one another, and tracks how these configurations change over time. It's similar to a configuration management database that continuously monitors and records your AWS resource configurations, making it easier to audit resource compliance, analyze security postures, and troubleshoot configuration changes across your AWS environment. This service helps you maintain security and governance by tracking resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.
+The [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) service enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a detailed view of how your resources are configured, shows how they relate to one another, and tracks how these configurations change over time. It's similar to a configuration management database that continuously monitors and records your AWS resource configurations, making it easier to audit resource compliance, analyze security postures, and troubleshoot configuration changes across your AWS environment. This service helps you maintain security and governance by tracking resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.
@@ -15 +15 @@ AWS Control Tower enables [AWS Config configuration recorders](https://docs.aws.
-AWS Config configuration recorders are enabled by default by AWS Control Tower and set to continuous recording for all relevant AWS resource types in enrolled accounts. If you are concerned about the [costs incurred by AWS Config](https://aws.amazon.com/config/pricing/), you might want to [manage these costs](https://docs.aws.amazon.com/controltower/latest/userguide/config-costs.html). For information about a solution that you can deploy in your landing zone without causing AWS Control Tower drift, see the AWS blog post [Customize AWS Config resource tracking in AWS Control Tower environment](https://aws.amazon.com/blogs/mt/customize-aws-config-resource-tracking-in-aws-control-tower-environment/).
+AWS Config configuration recorders are enabled by default by AWS Control Tower and set to continuous recording for all relevant AWS resource types in enrolled accounts. If you are concerned about the [costs incurred by ](https://aws.amazon.com/config/pricing/)AWS Config, you might want to [manage these costs](https://docs.aws.amazon.com/controltower/latest/userguide/config-costs.html). For information about a solution that you can deploy in your landing zone without causing AWS Control Tower drift, see the AWS blog post [Customize AWS Config resource tracking in AWS Control Tower environment](https://aws.amazon.com/blogs/mt/customize-aws-config-resource-tracking-in-aws-control-tower-environment/).
@@ -19 +19 @@ AWS Config configuration recorders are enabled by default by AWS Control Tower a
-[AWS Config aggregators](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html) provide a centralized way to view configuration and compliance data from multiple AWS accounts and Regions. They act as a central collector that consolidates AWS Config data across your organization and makes it easier to monitor resource configurations and compliance at scale. This capability is particularly valuable for enterprises that manage multiple AWS accounts, because it enables centralized auditing, governance, and compliance monitoring across their entire AWS footprint. AWS Control Tower creates two AWS Config aggregators to help manage and monitor your multi-account environment:
+[AWS Config aggregators](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html) provide a centralized way to view configuration and compliance data from multiple AWS accounts and Regions. They act as a central collector that consolidates AWS Config data across your organization and makes it easier to monitor resource configurations and compliance at scale. This capability is particularly valuable for enterprises that manage multiple AWS accounts, because it enables centralized auditing, governance, and compliance monitoring across their entire AWS footprint. An AWS Control Tower setup with landing zone versions earlier than 4.0 creates two AWS Config aggregators to help manage and monitor your multi-account environment:
@@ -21 +21 @@ AWS Config configuration recorders are enabled by default by AWS Control Tower a
-  * **Organization-level aggregator** (`aws-controltower-ConfigAggregatorForOrganizations`) is created in the management account of your AWS organization. Its primary purpose is to aggregate AWS Config data from all accounts in your organization, even if those accounts aren't enrolled in AWS Control Tower. AWS Config isn't enabled in the managed account by default, so you can't see this aggregator in the AWS Config console. To view the aggregator in the management account, use the AWS CLI command:
+  * **Organization-level aggregator** (`aws-controltower-ConfigAggregatorForOrganizations`) is created in the management account of your AWS organization. Its primary purpose is to aggregate AWS Config data from all accounts in your organization, even if those accounts aren't enrolled in AWS Control Tower. AWS Config isn't enabled in the management account by default, so you can't see this aggregator in the AWS Config console. To view the aggregator in the management account, use the AWS CLI command:
@@ -29,0 +30,23 @@ AWS Config configuration recorders are enabled by default by AWS Control Tower a
+These aggregators are supported in landing zone 3.3 and previous versions. In landing zone version 4.0, AWS Control Tower has migrated to a service-linked configuration aggregator (SLCA).
+
+When you migrate to landing zone version 4.0 with AWS Config integration enabled, you will see the following changes:
+
+  * The existing Audit account is registered as a delegated admin for AWS Config.
+
+  * The SLCA is deployed into the AWS Config integration account. (This is the AWS Config central aggregator account for new customers and the Audit account for existing customers.) The SLCA can aggregate data from any AWS Config recorder in an organization, including accounts that aren't managed by AWS Control Tower.
+
+  * Existing aggregators are deleted. The organization-level aggregator in the management account (`aws-controltower-ConfigAggregatorForOrganizations`) and the security aggregator in the Audit account (`aws-controltower-GuardRailsComplianceAggregator`) are deleted as part of the migration.
+
+  * The following controls that are associated with the deleted aggregators are automatically removed.
+
+    * [Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudwatch-disallow-config-changes)
+
+    * [Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#config-aggregation-authorization-policy)
+
+    * [Disallow Changes to AWS Config Rules Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#config-rule-disallow-changes)
+
+
+
+
+Additionally, because AWS Config rules and the configuration aggregator are service-linked resources, service control policy (SCP) protection is longer required.
+