AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md

Summary

Restructured section headings, fixed a link, removed AWS Lambda reference from detective controls, and introduced a typo in a heading.

Security assessment

Changes are structural/formatting improvements without security context. Removal of 'AWS Lambda functions' doesn't indicate a security fix but rather documentation refinement.

Diff

diff --git a/prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md b/prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md
index 878c17bd8..a36022554 100644
--- a//prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md
+++ b//prescriptive-guidance/latest/designing-control-tower-landing-zone/controls.md
@@ -6,0 +7,2 @@
+Control guidance levelsLimitations for preventive controlsAutomating controls
+
@@ -13 +15 @@
-  * **Detective controls** continuously monitor resources to detect non-compliance in your accounts, and then provide alerts through the dashboard. For example, the control [Detect Whether Unrestricted Incoming TCP Traffic is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#rdp-disallow-internet) can detect whether a security group is set up with unrestricted incoming TCP traffic and alert the user to restrict their incoming protocols. Detective controls are implemented by using [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) and AWS Lambda functions.
+  * **Detective controls** continuously monitor resources to detect non-compliance in your accounts, and then provide alerts through the dashboard. For example, the control [Detect Whether Unrestricted Incoming TCP Traffic is Allowed ](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#rdp-disallow-internet)can detect whether a security group is set up with unrestricted incoming TCP traffic and alert the user to restrict their incoming protocols. Detective controls are implemented by using [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html).
@@ -24 +26 @@ SCPs (preventive controls) don't have any effect in the management account. The
-**Control guidance levels**
+## Control guidance levels
@@ -34 +36 @@ You can use custom SCPs and AWS Config Rules for additional detection and preven
-**Limitations for preventive controls**
+## Limitations for preventive controls
@@ -38 +40 @@ You can have a maximum of five SCPs attached to an OU and a maximum of five OU l
-**Automating controls**
+## Automating controls
@@ -53 +55 @@ You can automatically activate and deactivate controls by using any of the follo
-For more information about automating controls, see [About controls in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. The following sections discuss [mandatory controls](./mandatory.html), [optional controls](./optional.html), and [custom controls](./custom.html) in more detail.
+For more information about automating controls, see [About controls in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. The following sections discuss [mandatory controls](./mandatory.html), [optional controls,](./optional.html) and [custom controls](./custom.html) in more detail.
@@ -61 +63 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Configuring account structure and OUs
+Configuring acount structure and OUs
@@ -63 +65 @@ Configuring account structure and OUs
-Mandatory controls
+Networking integration