AWS controltower documentation change
Summary
Added multiple sections about upgrading to version 4.0, including warnings about service integrations, baseline status for Security OU, IAM Identity Center permission sets, AWS Config integration scope, and CentralizedLogging behavior changes.
Security assessment
These changes document important behavioral changes in security-related services (AWS Config, CloudTrail, IAM Identity Center) during version upgrades. They include warnings about potential misconfigurations that could affect security monitoring and governance. However, there's no evidence they address a specific security vulnerability.
Diff
diff --git a/controltower/latest/userguide/key-changes-lz-v4.md b/controltower/latest/userguide/key-changes-lz-v4.md index 6e54acb64..a3b35d15a 100644 --- a//controltower/latest/userguide/key-changes-lz-v4.md +++ b//controltower/latest/userguide/key-changes-lz-v4.md @@ -17,0 +18,4 @@ +###### Upgrading from version 3.3 or earlier to version 4.0 + +Do not disable service integrations (AWS Config, SecurityRoles) as part of the version upgrade. In landing zone versions 3.3 and earlier, AWS Config and SecurityRoles were always enabled implicitly. Version 4.0 surfaces these integrations as configurable options for the first time. After successfully upgrading to version 4.0, you can disable service integrations as desired. + @@ -29,0 +34,8 @@ +**Baseline status for the Security OU:** The AWS Control Tower Baseline and the AWS Config Baseline cannot be applied to the Security OU. The Security OU displays a baseline status of "Not Applicable" for these baselines. This status is expected. The BackupBaseline can be applied to the Security OU. + +AWS Control Tower manages service integration accounts through the landing zone, not through OU-level baselines. If a service integration account displays a baseline status of "Not Enabled" and the associated service integration is disabled, AWS Control Tower no longer manages that account. + +Accounts in the Security OU that are not designated as service integration accounts do not receive baseline resources. To govern these accounts, move them to a managed OU and extend governance. + +**IAM Identity Center permission sets for service integration accounts:** AWS Control Tower provisions IAM Identity Center permission sets for the Logging account and the SecurityRoles account. AWS Control Tower does not provision permission sets for the Config account or the Backup account. To access the Config or Backup account through IAM Identity Center, create permission sets manually using the IAM Identity Center resources that AWS Control Tower deployed. + @@ -59,0 +72,12 @@ +###### Scope of AWS Config service integration enablement + +Enabling the AWS Config service integration at the landing zone level deploys Config recording resources to service integration accounts only. To deploy AWS Config resources (Config Recorder, Delivery Channel) to member accounts, enable the AWS Config baseline on each managed OU individually. + +Enabling the Config integration at the landing zone level is a prerequisite for enabling the Config baseline on OUs. The landing zone-level setting alone does not deploy Config resources to member accounts. + +###### CentralizedLogging behavior change in version 4.0 + +In landing zone versions 3.3 and earlier, disabling CentralizedLogging toggled the Organization CloudTrail to off and retained all deployed resources. In version 4.0, disabling CentralizedLogging deletes all associated resources from the logging account. These resources include the Config Recorder, Delivery Channel, and CloudTrail-related stack instances. After disablement, AWS Control Tower no longer manages the logging account. + +To restore management of the logging account, re-enable CentralizedLogging or move the account to a managed OU and extend governance. +