AWS controltower documentation change
Summary
Updated permissions documentation to reference Security Hub CSPM controls and drift detection processes
Security assessment
The changes clarify permissions related to CSPM security controls but do not indicate a security vulnerability fix. The updates document security-related permissions for a security feature (CSPM).
Diff
diff --git a/controltower/latest/userguide/access-control-managing-permissions.md b/controltower/latest/userguide/access-control-managing-permissions.md index e3902c2fb..ae83cd067 100644 --- a//controltower/latest/userguide/access-control-managing-permissions.md +++ b//controltower/latest/userguide/access-control-managing-permissions.md @@ -335 +335 @@ This AWS-managed policy allows AWS Control Tower to call AWS services that provi -The policy contains the minimum permissions for AWS Control Tower to implement AWS Security Hub findings forwarding for resources managed by Security Hub controls that are part of the **Security Hub Service-managed Standard: AWS Control Tower** , and it prevents changes that restrict the ability to manage customer accounts. It is part of background AWS Security Hub drift detection process that is not directly initiated by a customer. +The policy contains the minimum permissions for AWS Control Tower to implement AWS Security Hub CSPM findings forwarding for resources managed by Security Hub CSPM controls that are part of the **Security Hub CSPM Service-managed Standard: AWS Control Tower** , and it prevents changes that restrict the ability to manage customer accounts. It is part of background AWS Security Hub CSPM drift detection process that is not directly initiated by a customer. @@ -337 +337 @@ The policy contains the minimum permissions for AWS Control Tower to implement A -The policy gives permissions to create Amazon EventBridge rules, specifically for Security Hub controls, in each member account, and these rules must specify an exact EventPattern. Also, a rule can operate only on rules managed by our service principal. +The policy gives permissions to create Amazon EventBridge rules, specifically for Security Hub CSPM controls, in each member account, and these rules must specify an exact EventPattern. Also, a rule can operate only on rules managed by our service principal.