AWS Security ChangesHomeSearch

AWS controltower high security documentation change

Service: controltower · 2026-05-13 · Security-related high

File: controltower/latest/userguide/shared-account-resources.md

Summary

Updated resource deployment details for Control Tower versions, added new S3 buckets for config logs, and documented transition to service-linked AWS Config rules for detective controls.

Security assessment

Removes guardrails for S3 bucket public access prohibitions and replaces them with service-linked Config rules. This change directly addresses security controls for public bucket access prevention. The added S3 buckets relate to security logging.

Diff

diff --git a/controltower/latest/userguide/shared-account-resources.md b/controltower/latest/userguide/shared-account-resources.md
index 77354f3fd..16671e31a 100644
--- a//controltower/latest/userguide/shared-account-resources.md
+++ b//controltower/latest/userguide/shared-account-resources.md
@@ -24,2 +24,2 @@ AWS Organizations | Service Control Policies | aws-guardrails-*
-AWS CloudFormation | Stacks | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER (in version 2.6 and later)  
-AWS CloudFormation | StackSets |  AWSControlTowerBP-BASELINE-CLOUDTRAIL (Not deployed in 3.0 and later) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole  
+AWS CloudFormation | Stacks | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER (in version 2.6 and later; not deployed in 4.0 and later)  
+AWS CloudFormation | StackSets |  AWSControlTowerBP-BASELINE-CLOUDTRAIL (Not deployed in 3.0 and later) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET (Deployed in 4.0 and later)  
@@ -27 +27 @@ AWS Service Catalog | Product | AWS Control Tower Account Factory
-AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations  
+AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations (Not deployed in 4.0 and later)  
@@ -38,0 +39,2 @@ The CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` is not deployed in landing
+As of June 2025, AWS Control Tower deploys detective controls as service-linked AWS Config rules directly in enrolled accounts, instead of through CloudFormation StackSets. The StackSets `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED` and `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED` and their associated stack instances are no longer deployed. For more information, see [Support for detective controls deployed as service-linked AWS Config rules](https://docs.aws.amazon.com/controltower/latest/userguide/2025-all.html#managed-config-controls).
+
@@ -45 +47 @@ AWS service | Resource type | Resource Name
-AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources-  
+AWS CloudFormation | Stacks |  StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources-  
@@ -63,2 +65,3 @@ AWS service | Resource type | Resource name
-AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-*  
-AWS Config | Aggregator | aws-controltower-GuardrailsComplianceAggregator  
+AWS CloudFormation | Stacks |  StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* StackSet-AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET- (Deployed in 4.0 and later)  
+AWS Config | Aggregator | aws-controltower-GuardrailsComplianceAggregator (Not deployed in 4.0 and later)  
+AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations (Deployed in 4.0 and later)  
@@ -72,0 +76 @@ AWS Lambda | Functions | aws-controltower-NotificationForwarder
+Amazon Simple Storage Service | Buckets | aws-controltower-config-logs-* (Deployed in 4.0 and later) aws-controltower-config-access-logs-* (Deployed in 4.0 and later)