AWS Security ChangesHomeSearch

AWS controltower medium security documentation change

Service: controltower · 2026-07-10 · Security-related medium

File: controltower/latest/userguide/roles-how.md

Summary

Removed 'sso:GetPeregrineStatus' permission from Account Factory role requirements and updated explanatory text

Security assessment

Removing unnecessary permissions follows the principle of least privilege, reducing potential attack surface. The explicit removal of 'sso:GetPeregrineStatus' indicates this permission was identified as excessive, mitigating risks of over-privileged roles which could be exploited in privilege escalation attacks.

Diff

diff --git a/controltower/latest/userguide/roles-how.md b/controltower/latest/userguide/roles-how.md
index ef4eee900..21a833276 100644
--- a//controltower/latest/userguide/roles-how.md
+++ b//controltower/latest/userguide/roles-how.md
@@ -313,6 +312,0 @@ If you're provisioning accounts using Lambda functions, the identity that will p
-JSON
-    
-
-****
-    
-    
@@ -336 +329,0 @@ JSON
-                    "sso:GetPeregrineStatus",
@@ -366,2 +359 @@ JSON
-
-The permissions `sso:GetPeregrineStatus`, `sso:ProvisionApplicationInstanceForAWSAccount`, `sso:ProvisionApplicationProfileForAWSAccountInstance`, and `sso:ProvisionSAMLProvide` are required by AWS Control Tower Account Factory to interact with AWS IAM Identity Center.
+The permissions `sso:ProvisionApplicationInstanceForAWSAccount`, `sso:ProvisionApplicationProfileForAWSAccountInstance`, and `sso:ProvisionSAMLProvider` are required by AWS Control Tower Account Factory to interact with AWS IAM Identity Center.