AWS controltower documentation change
Summary
Added an entry documenting an update to the AWSControlTowerAccountServiceRolePolicy managed policy, noting new permissions added for BatchDescribeTypeConfigurations API calls for internal service-linked hooks improvements.
Security assessment
This change documents an update to a managed IAM policy, which is security-related documentation. It explains new permissions added for internal improvements, but there's no evidence this addresses a security vulnerability or incident - it appears to be routine policy maintenance for service functionality.
Diff
diff --git a/controltower/latest/userguide/managed-policies-table.md b/controltower/latest/userguide/managed-policies-table.md index 81b66c9c9..ed685ba05 100644 --- a//controltower/latest/userguide/managed-policies-table.md +++ b//controltower/latest/userguide/managed-policies-table.md @@ -10,0 +11 @@ Change | Description | Date +[AWSControlTowerAccountServiceRolePolicy](./access-control-managing-permissions.html#account-service-role-policy) – Update to an existing policy | AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the AWS CloudFormation service API `BatchDescribeTypeConfigurations` for an internal improvement to service-linked hooks. | March 23, 2026