AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2025-12-10 · Documentation low

File: controltower/latest/userguide/2023-all.md

Summary

Updated references from 'AWS Security Hub controls' to 'AWS Security Hub CSPM controls' throughout the document, clarifying the type of security controls being referenced.

Security assessment

The changes specify CSPM (Cloud Security Posture Management) controls, which are security-related features. However, there is no evidence of addressing a specific security vulnerability; rather, the updates refine documentation accuracy for existing security controls. This improves clarity about security features but does not indicate a security fix.

Diff

diff --git a/controltower/latest/userguide/2023-all.md b/controltower/latest/userguide/2023-all.md
index d0b7fe594..7e2d027eb 100644
--- a//controltower/latest/userguide/2023-all.md
+++ b//controltower/latest/userguide/2023-all.md
@@ -5 +5 @@
-Transition to new AWS Service Catalog External product type (phase 3)AWS Control Tower landing zone version 3.3Transition to new AWS Service Catalog External product type (phase 2)AWS Control Tower announces controls to assist digital sovereigntyAWS Control Tower landing zone APIsAWS Control Tower control tagging APIsAWS Control Tower available in AWS Asia Pacific (Melbourne)Transition to new AWS Service Catalog External product type (phase 1)AWS Control Tower adds new control APIAWS Control Tower adds new controlsAWS Control Tower detects trusted access driftAWS Control Tower available in four additional AWS RegionsAWS Control Tower available in AWS Israel (Tel Aviv)AWS Control Tower adds 28 new proactive controlsAWS Control Tower deprecates two controlsAWS Control Tower landing zone version 3.2AWS Control Tower adds email-to-ID mapping for IAM Identity CenterAWS Control Tower adds more AWS Security Hub controlsAWS Control Tower publishes metadata for AWS Security Hub controlsAWS Control Tower adds Account Factory Customization (AFC) for TerraformAWS Control Tower adds self-managed IAM identity centerAWS Control Tower adds mixed governance noteAWS Control Tower adds new proactive controlsAWS Control Tower updates Amazon EC2 controlsAWS Control Tower available in seven additional AWS RegionsAWS Control Tower Account Factory Customization (AFC) and request tracing generally availableAWS Control Tower landing zone version 3.1AWS Control Tower proactive controls generally available
+Transition to new AWS Service Catalog External product type (phase 3)AWS Control Tower landing zone version 3.3Transition to new AWS Service Catalog External product type (phase 2)AWS Control Tower announces controls to assist digital sovereigntyAWS Control Tower landing zone APIsAWS Control Tower control tagging APIsAWS Control Tower available in AWS Asia Pacific (Melbourne)Transition to new AWS Service Catalog External product type (phase 1)AWS Control Tower adds new control APIAWS Control Tower adds new controlsAWS Control Tower detects trusted access driftAWS Control Tower available in four additional AWS RegionsAWS Control Tower available in AWS Israel (Tel Aviv)AWS Control Tower adds 28 new proactive controlsAWS Control Tower deprecates two controlsAWS Control Tower landing zone version 3.2AWS Control Tower adds email-to-ID mapping for IAM Identity CenterAWS Control Tower adds more AWS Security Hub CSPM controlsAWS Control Tower publishes metadata for AWS Security Hub CSPM controlsAWS Control Tower adds Account Factory Customization (AFC) for TerraformAWS Control Tower adds self-managed IAM identity centerAWS Control Tower adds mixed governance noteAWS Control Tower adds new proactive controlsAWS Control Tower updates Amazon EC2 controlsAWS Control Tower available in seven additional AWS RegionsAWS Control Tower Account Factory Customization (AFC) and request tracing generally availableAWS Control Tower landing zone version 3.1AWS Control Tower proactive controls generally available
@@ -45 +45 @@ In 2023, AWS Control Tower released the following updates:
-  * AWS Control Tower adds more AWS Security Hub controls
+  * AWS Control Tower adds more AWS Security Hub CSPM controls
@@ -47 +47 @@ In 2023, AWS Control Tower released the following updates:
-  * AWS Control Tower publishes metadata for AWS Security Hub controls
+  * AWS Control Tower publishes metadata for AWS Security Hub CSPM controls
@@ -343 +343 @@ The deprecated controls are no longer available in any AWS Region.
-AWS Control Tower landing zone version 3.2 brings the controls that are part of the AWS Security Hub **Service-Managed Standard: AWS Control Tower** to general availability. It introduces the ability to view the drift status of controls that are part of this standard in the AWS Control Tower console.
+AWS Control Tower landing zone version 3.2 brings the controls that are part of the AWS Security Hub CSPM **Service-Managed Standard: AWS Control Tower** to general availability. It introduces the ability to view the drift status of controls that are part of this standard in the AWS Control Tower console.
@@ -345 +345 @@ AWS Control Tower landing zone version 3.2 brings the controls that are part of
-This update includes a new service-linked role (SLR), called the **AWSServiceRoleForAWSControlTower**. This role assists AWS Control Tower by creating an EventBridge Managed Rule, called the **AWSControlTowerManagedRule** in each member account. This managed rule collects AWS Security Hub **Finding** events, from with AWS Control Tower can determine control drift.
+This update includes a new service-linked role (SLR), called the **AWSServiceRoleForAWSControlTower**. This role assists AWS Control Tower by creating an EventBridge Managed Rule, called the **AWSControlTowerManagedRule** in each member account. This managed rule collects AWS Security Hub CSPM **Finding** events, from with AWS Control Tower can determine control drift.
@@ -353 +353 @@ The landing zone 3.2 update also includes a new StackSet resource in the managem
-When reporting Security Hub control drift (in landing zone 3.2 and later), AWS Control Tower receives a daily status update from Security Hub. Although controls are active in every governed Region, AWS Control Tower sends the AWS Security Hub **Finding** events to the AWS Control Tower home Region only. For more information, see [Security Hub control drift reporting](https://docs.aws.amazon.com//controltower/latest/controlreference/security-hub-controls.html#sh-drift).
+When reporting Security Hub CSPM control drift (in landing zone 3.2 and later), AWS Control Tower receives a daily status update from Security Hub CSPM. Although controls are active in every governed Region, AWS Control Tower sends the AWS Security Hub CSPM **Finding** events to the AWS Control Tower home Region only. For more information, see [Security Hub control drift reporting](https://docs.aws.amazon.com//controltower/latest/controlreference/security-hub-controls.html#sh-drift).
@@ -405 +405 @@ Email-to-ID mapping is available in all AWS Regions where AWS Control Tower is a
-## AWS Control Tower adds more AWS Security Hub controls
+## AWS Control Tower adds more AWS Security Hub CSPM controls
@@ -411 +411 @@ Email-to-ID mapping is available in all AWS Regions where AWS Control Tower is a
-AWS Control Tower has added more AWS Security Hub controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).
+AWS Control Tower has added more AWS Security Hub CSPM controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).
@@ -415 +415 @@ The new controls are available in all AWS Regions where AWS Control Tower is ava
-## AWS Control Tower publishes metadata for AWS Security Hub controls
+## AWS Control Tower publishes metadata for AWS Security Hub CSPM controls
@@ -421 +421 @@ The new controls are available in all AWS Regions where AWS Control Tower is ava
-AWS Control Tower now publishes metadata for AWS Security Hub controls. This metadata includes information about the control, such as the control ID, control title, and control description. For more information about the metadata, see [Control metadata](https://docs.aws.amazon.com//controltower/latest/userguide/control-metadata.html).
+AWS Control Tower now publishes metadata for AWS Security Hub CSPM controls. This metadata includes information about the control, such as the control ID, control title, and control description. For more information about the metadata, see [Control metadata](https://docs.aws.amazon.com//controltower/latest/userguide/control-metadata.html).
@@ -503 +503 @@ AWS Control Tower landing zone version 3.1 includes the following updates:
-  * Deactivation of server access logging for the AWS Control Tower access logging bucket causes Security Hub to create a finding for the Log Archive account's _access logging bucket_ , due to an AWS Security Hub rule, [[S3.9] S3 bucket server access logging should be enabled](https://docs.aws.amazon.com//securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-9). In alignment with Security Hub, we recommend that you suppress this particular finding, as stated in the Security Hub description of this rule. For additional information, see [information about suppressed findings](https://docs.aws.amazon.com//securityhub/latest/userguide/finding-workflow-status.html).
+  * Deactivation of server access logging for the AWS Control Tower access logging bucket causes Security Hub CSPM to create a finding for the Log Archive account's _access logging bucket_ , due to an AWS Security Hub CSPM rule, [[S3.9] S3 bucket server access logging should be enabled](https://docs.aws.amazon.com//securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-9). In alignment with Security Hub CSPM, we recommend that you suppress this particular finding, as stated in the Security Hub CSPM description of this rule. For additional information, see [information about suppressed findings](https://docs.aws.amazon.com//securityhub/latest/userguide/finding-workflow-status.html).