AWS Security ChangesHomeSearch

AWS controltower documentation change

Service: controltower · 2026-03-07 · Documentation low

File: controltower/latest/userguide/config-updates-v4.md

Summary

Updated AWS Control Tower v4 configuration guidance removing references to specific service control policies (SCPs) and emphasizing automatic handling of service-linked Configuration Aggregators

Security assessment

The change removes documentation about manual SCP protections ([Disallow Changes to AWS Config Rules]) as these are now handled automatically through service-linked resources. While this relates to security controls, there is no evidence of a security vulnerability being addressed - rather it reflects architectural changes in resource management.

Diff

diff --git a/controltower/latest/userguide/config-updates-v4.md b/controltower/latest/userguide/config-updates-v4.md
index 2b9e80a9d..2c26dffde 100644
--- a//controltower/latest/userguide/config-updates-v4.md
+++ b//controltower/latest/userguide/config-updates-v4.md
@@ -31 +31 @@ Enabling AWS CloudTrail integration on landing zone 4.0 for the first time will
-    4. Controls associated with the deleted aggregators will be automatically removed. Additionally, since AWS Config Rules and Configuration Aggregator will be service-linked resources, service control policy protection will no longer be required. 
+    4. Since Configuration Aggregator is service-linked, controls associated with deleted aggregators will be automatically removed. 
@@ -37,2 +36,0 @@ Enabling AWS CloudTrail integration on landing zone 4.0 for the first time will
-      3. [Disallow Changes to AWS Config Rules Set Up by AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/mandatory-controls.html#config-rule-disallow-changes)
-