AWS controltower high security documentation change
Summary
Updated resource deployment details for Control Tower versions, added new S3 buckets for config logs, and documented transition to service-linked AWS Config rules for detective controls.
Security assessment
Removes guardrails for S3 bucket public access prohibitions and replaces them with service-linked Config rules. This change directly addresses security controls for public bucket access prevention. The added S3 buckets relate to security logging.
Diff
diff --git a/controltower/latest/userguide/shared-account-resources.md b/controltower/latest/userguide/shared-account-resources.md index 77354f3fd..16671e31a 100644 --- a//controltower/latest/userguide/shared-account-resources.md +++ b//controltower/latest/userguide/shared-account-resources.md @@ -24,2 +24,2 @@ AWS Organizations | Service Control Policies | aws-guardrails-* -AWS CloudFormation | Stacks | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER (in version 2.6 and later) -AWS CloudFormation | StackSets | AWSControlTowerBP-BASELINE-CLOUDTRAIL (Not deployed in 3.0 and later) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole +AWS CloudFormation | Stacks | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER (in version 2.6 and later; not deployed in 4.0 and later) +AWS CloudFormation | StackSets | AWSControlTowerBP-BASELINE-CLOUDTRAIL (Not deployed in 3.0 and later) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET (Deployed in 4.0 and later) @@ -27 +27 @@ AWS Service Catalog | Product | AWS Control Tower Account Factory -AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations +AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations (Not deployed in 4.0 and later) @@ -38,0 +39,2 @@ The CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` is not deployed in landing +As of June 2025, AWS Control Tower deploys detective controls as service-linked AWS Config rules directly in enrolled accounts, instead of through CloudFormation StackSets. The StackSets `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED` and `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED` and their associated stack instances are no longer deployed. For more information, see [Support for detective controls deployed as service-linked AWS Config rules](https://docs.aws.amazon.com/controltower/latest/userguide/2025-all.html#managed-config-controls). + @@ -45 +47 @@ AWS service | Resource type | Resource Name -AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- +AWS CloudFormation | Stacks | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- @@ -63,2 +65,3 @@ AWS service | Resource type | Resource name -AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* -AWS Config | Aggregator | aws-controltower-GuardrailsComplianceAggregator +AWS CloudFormation | Stacks | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* StackSet-AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET- (Deployed in 4.0 and later) +AWS Config | Aggregator | aws-controltower-GuardrailsComplianceAggregator (Not deployed in 4.0 and later) +AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations (Deployed in 4.0 and later) @@ -72,0 +76 @@ AWS Lambda | Functions | aws-controltower-NotificationForwarder +Amazon Simple Storage Service | Buckets | aws-controltower-config-logs-* (Deployed in 4.0 and later) aws-controltower-config-access-logs-* (Deployed in 4.0 and later)