AWS controltower documentation change
Summary
Updated AWS Control Tower v4 configuration guidance removing references to specific service control policies (SCPs) and emphasizing automatic handling of service-linked Configuration Aggregators
Security assessment
The change removes documentation about manual SCP protections ([Disallow Changes to AWS Config Rules]) as these are now handled automatically through service-linked resources. While this relates to security controls, there is no evidence of a security vulnerability being addressed - rather it reflects architectural changes in resource management.
Diff
diff --git a/controltower/latest/userguide/config-updates-v4.md b/controltower/latest/userguide/config-updates-v4.md index 2b9e80a9d..2c26dffde 100644 --- a//controltower/latest/userguide/config-updates-v4.md +++ b//controltower/latest/userguide/config-updates-v4.md @@ -31 +31 @@ Enabling AWS CloudTrail integration on landing zone 4.0 for the first time will - 4. Controls associated with the deleted aggregators will be automatically removed. Additionally, since AWS Config Rules and Configuration Aggregator will be service-linked resources, service control policy protection will no longer be required. + 4. Since Configuration Aggregator is service-linked, controls associated with deleted aggregators will be automatically removed. @@ -37,2 +36,0 @@ Enabling AWS CloudTrail integration on landing zone 4.0 for the first time will - 3. [Disallow Changes to AWS Config Rules Set Up by AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/mandatory-controls.html#config-rule-disallow-changes) -