AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/designing-control-tower-landing-zone/setup.md

Summary

Formatting improvements to table structure, added explicit note sections for Log Archive/Audit accounts and KMS encryption, fixed typo in section header

Security assessment

Changes are documentation formatting improvements and clarification of existing security features (KMS encryption). No vulnerability or security incident is addressed. Notes emphasize immutability of account configurations post-setup, which is operational guidance.

Diff

diff --git a/prescriptive-guidance/latest/designing-control-tower-landing-zone/setup.md b/prescriptive-guidance/latest/designing-control-tower-landing-zone/setup.md
index 7c36e9eb1..4ddbd6139 100644
--- a//prescriptive-guidance/latest/designing-control-tower-landing-zone/setup.md
+++ b//prescriptive-guidance/latest/designing-control-tower-landing-zone/setup.md
@@ -33 +33 @@ The following table shows the required parameters for setting up a landing zone.
-**Category** | **Parameter** | **Sample values**  
+Category| Parameter| Sample values  
@@ -35 +35 @@ The following table shows the required parameters for setting up a landing zone.
-AWS Regions | _Home Region_ This is the AWS Region where shared resources will be provisioned. You cannot change the home Region after the landing zone is set up, but you can add more Regions to govern. | Your current Region (as reflected in the AWS Region selector on the navigation bar). This field is not editable.  
+Regions|  _Home Region_ This is the AWS Region where shared resources will be provisioned. You cannot change the home Region after the landing zone is set up, but you can add more Regions to govern.| Your current Region (as reflected in the AWS Region selector on the navigation bar). This field is not editable.  
@@ -41 +41,5 @@ _Log Archive account options_ Either create a new account or use your existing L
-_Log Archive account details_ If you are creating a new account, specify a unique email address that is not yet associated with an AWS account. You can also specify the account name. The default name is Log Archive. If you are using an existing Log Archive account, specify the AWS account ID. **Note** : These details cannot be edited after the landing zone has been set up. | [email protected] Archive  
+ _Log Archive account details_ If you are creating a new account, specify a unique email address that is not yet associated with an AWS account. You can also specify the account name. The default name is Log Archive. If you are using an existing Log Archive account, specify the AWS account ID. 
+
+###### Note
+
+These details cannot be edited after the landing zone has been set up.| [email protected] Archive  
@@ -43,2 +47,10 @@ _Audit account options_ Either create a new account or use your existing Audit a
-_Audit account details_ If you are creating a new account, specify a unique email address that is not yet associated with an AWS account. Also specify the account name. The default name is Audit. If you are using an existing audit account, specify the AWS account ID. **Note:** These details cannot be edited after the landing zone has been set up. | [email protected]  
-Additional configurations**Note:** These are optional configurations. You can leave them at their default settings or choose your own configuration. | _AWS account access configuration_ You can optionally choose to manage account access yourself or accept the default IAM Identity Center setup in AWS Control Tower. | AWS Control Tower sets up AWS account access with IAM Identity Center.  
+ _Audit account details_ If you are creating a new account, specify a unique email address that is not yet associated with an AWS account. Also specify the account name. The default name is Audit. If you are using an existing audit account, specify the AWS account ID. 
+
+###### Note
+
+These details cannot be edited after the landing zone has been set up.| [email protected]  
+Additional configurations
+
+###### Note
+
+These are optional configurations. You can leave them at their default settings or choose your own configuration.| _AWS account access configuration_ You can optionally choose to manage account access yourself or accept the default IAM Identity Center setup in AWS Control Tower.| AWS Control Tower sets up AWS account access with IAM Identity Center.  
@@ -47 +59,5 @@ _Log configuration for Amazon S3_ You can optionally configure log retention for
-_KMS encryption_ You can optionally enable encryption for AWS Control Tower resources by using an AWS Key Management Service (AWS KMS) customer managed key. If you enable encryption, you are asked to specify the key name or Amazon Resource Name (ARN) of the customer managed key to be used.**Note:** If you don't enable this option, AWS Control Tower uses SSE-S3 encryption with AWS managed keys as the default configuration. | Disabled  
+_KMS encryption_ You can optionally enable encryption for AWS Control Tower resources by using an AWS Key Management Service (AWS KMS) customer managed key. If you enable encryption, you are asked to specify the key name or Amazon Resource Name (ARN) of the customer managed key to be used.
+
+###### Note
+
+If you don't enable this option, AWS Control Tower uses SSE-S3 encryption with AWS managed keys as the default configuration.| Disabled  
@@ -57 +73 @@ Introduction
-Configuring account structure and OUs
+Configuring acount structure and OUs