AWS controltower documentation change
Summary
Reorganized policy entries and added an update for AWSControlTowerAccountServiceRolePolicy improving EventBridge rule condition validation
Security assessment
The change documents an IAM policy update that enhances validation precision for EventBridge rules using 'ForAllValues:StringEquals'. While this relates to security features (IAM policies), there is no evidence of a specific security vulnerability being addressed. The description explicitly states functional permissions remain unchanged.
Diff
diff --git a/controltower/latest/userguide/managed-policies-table.md b/controltower/latest/userguide/managed-policies-table.md index 3cbe1bbd4..81b66c9c9 100644 --- a//controltower/latest/userguide/managed-policies-table.md +++ b//controltower/latest/userguide/managed-policies-table.md @@ -11,2 +11 @@ Change | Description | Date -[AWSControlTowerServiceRolePolicy](./access-control-managing-permissions.html#AWSControlTowerServiceRolePolicy) – Updated managed policy | AWS Control Tower updated the Amazon CloudWatch Logs resource pattern in the AWSControlTowerServiceRolePolicy to support Landing Zone 4.0's optional AWS CloudTrail integration. The pattern changed from `aws-controltower/CloudTrailLogs:*` to `aws-controltower/CloudTrailLogs*:*`, adding a wildcard character after `CloudTrailLogs` to allow management of log groups with any suffix. This update enables Landing Zone 4.0's optional AWS CloudTrail integration, which allows customers to enable and disable AWS CloudTrail integration multiple times. Each time the integration is enabled, Amazon CloudWatch Logs log groups are recreated with unique suffixes to avoid naming conflicts. The update is backward compatible with existing deployments. | October 31, 2025 -[AWSControlTowerCloudTrailRolePolicy](./access-control-managing-permissions.html#AWSControlTowerCloudTrailRolePolicy) – New managed policy | AWS Control Tower introduced the AWSControlTowerCloudTrailRolePolicy managed policy, which allows CloudTrail to create log streams and publish log events to Control Tower-managed Amazon CloudWatch Logs log groups. This managed policy replaces the inline policy previously used by the AWSControlTowerCloudTrailRole, enabling AWS to update the policy without customer intervention. The policy is scoped to log groups with names matching the pattern `aws-controltower/CloudTrailLogs*`. | October 31, 2025 +[AWSControlTowerAccountServiceRolePolicy](./access-control-managing-permissions.html#account-service-role-policy) – Update to an existing policy | AWS Control Tower updated an existing policy to improve validation precision for Amazon EventBridge rule conditions. The update moves the `events:detail-type` condition from `StringEquals` to `ForAllValues:StringEquals` for better event pattern matching control while maintaining the same functional permissions. | December 30, 2025 @@ -21,0 +21,2 @@ Change | Description | Date +[AWSControlTowerServiceRolePolicy](./access-control-managing-permissions.html#AWSControlTowerServiceRolePolicy) – Updated managed policy | AWS Control Tower updated the Amazon CloudWatch Logs resource pattern in the AWSControlTowerServiceRolePolicy to support Landing Zone 4.0's optional AWS CloudTrail integration. The pattern changed from `aws-controltower/CloudTrailLogs:*` to `aws-controltower/CloudTrailLogs*:*`, adding a wildcard character after `CloudTrailLogs` to allow management of log groups with any suffix. This update enables Landing Zone 4.0's optional AWS CloudTrail integration, which allows customers to enable and disable AWS CloudTrail integration multiple times. Each time the integration is enabled, Amazon CloudWatch Logs log groups are recreated with unique suffixes to avoid naming conflicts. The update is backward compatible with existing deployments. | October 31, 2025 +[AWSControlTowerCloudTrailRolePolicy](./access-control-managing-permissions.html#AWSControlTowerCloudTrailRolePolicy) – New managed policy | AWS Control Tower introduced the AWSControlTowerCloudTrailRolePolicy managed policy, which allows CloudTrail to create log streams and publish log events to Control Tower-managed Amazon CloudWatch Logs log groups. This managed policy replaces the inline policy previously used by the AWSControlTowerCloudTrailRole, enabling AWS to update the policy without customer intervention. The policy is scoped to log groups with names matching the pattern `aws-controltower/CloudTrailLogs*`. | October 31, 2025