January - December 2021 - AWS Control Tower
Region deny capabilitiesData residency featuresAWS Control Tower introduces Terraform account provisioning and customizationNew lifecycle event availableAWS Control Tower enables nested OUsDetective control concurrencyTwo new Regions availableRegion deselectionAWS Control Tower works with AWS Key Management SystemsControls renamed, functionality unchangedAWS Control Tower scans SCPs daily to check for driftCustomized names for OUs and accountsAWS Control Tower landing zone version 2.7Three new AWS Regions availableGovern selected Regions onlyAWS Control Tower now extends governance to existing OUs in your AWS organizationsAWS Control Tower provides bulk account updates

January - December 2021

In 2021, AWS Control Tower released the following updates:

Region deny capabilities

November 30, 2021

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now provides Region deny capabilities, which assist you in limiting access to AWS services and operations for enrolled accounts in your AWS Control Tower environment. The Region deny feature complements existing Region selection and Region deselection features in AWS Control Tower. Together, these features help you to address compliance and regulatory concerns, while balancing the costs associated with expanding into additional Regions.

For example, AWS customers in Germany can deny access to AWS services in Regions outside of the Frankfurt Region. You can select restricted Regions during the AWS Control Tower set up process, or in the Landing zone settings page. The Region deny feature is available when you update your AWS Control Tower landing zone version. Select AWS services are exempt from Region deny capabilities. To learn more, see Configure the Region deny control.

Data residency features

November 30, 2021

(No update required for AWS Control Tower landing zone)

AWS Control Tower now offers purpose-built controls to help ensure that any customer data you upload to AWS services is located only in the AWS Regions that you specify. You can select the AWS Region or Regions in which your customer data is stored and processed. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

For granular control, you can apply additional controls, such as Disallow Amazon Virtual Private Network (VPN) connections, or Disallow internet access for an Amazon VPC instance. You can view the compliance status of the controls in the AWS Control Tower console. For a full list of available controls, see The AWS Control Tower controls library.

AWS Control Tower introduces Terraform account provisioning and customization

November 29, 2021

(Optional update for AWS Control Tower landing zone)

You can now employ Terraform to provision and update customized accounts through AWS Control Tower, with AWS Control Tower Account Factory for Terraform (AFT).

AFT provides a single Terraform infrastructure as code (IaC) pipeline, which provisions accounts managed by AWS Control Tower. Customizations during provisioning help to meet your business and security policies, before you give the accounts to end-users.

The AFT automated account creation pipeline monitors until account provisioning is complete, and then it continues, triggering additional Terraform modules that enhance the account with any necessary customizations. As an additional part of the customization process, you can configure the pipeline to install your own custom Terraform modules, and you can choose to add any of the AFT Feature Options, which are provided by AWS for common customizations.

Get started with AWS Control Tower Account Factory for Terraform by following the steps provided in the AWS Control Tower User Guide, Deploy AWS Control Tower Account Factory for Terraform (AFT) , and by downloading AFT for your Terraform instance. AFT supports Terraform Cloud, Terraform Enterprise, and Terraform Open Source distributions.

New lifecycle event available

November 18, 2021

(No update required for AWS Control Tower landing zone)

The PrecheckOrganizationalUnit event logs whether any resources block the Extend governance task from success, including resources in nested OUs. For more information, see PrecheckOrganizationalUnit.

AWS Control Tower enables nested OUs

November 16, 2021

(No update required for AWS Control Tower landing zone)

AWS Control Tower now enables you to include nested OUs as part of your landing zone.

AWS Control Tower provides support for nested organizational units (OUs), allowing you to organize accounts into multiple hierarchy levels, and to enforce preventive controls hierarchically. You can register OUs containing nested OUs, create and register OUs under parent OUs, and enable controls on any registered OU, regardless of depth. To support this functionality, the console shows the number of governed accounts and OUs.

With nested OUs, you can align your AWS Control Tower OUs to the AWS multi-account strategy, and you can reduce the time required to enable controls on multiple OUs, by enforcing controls at the parent OU level.

Key considerations

  1. You can register existing, multi-level OUs with AWS Control Tower one OU at a time, starting with the top-level OU and then proceeding down the tree. For more information, see Expand from flat OU structure to nested OU structure.

  2. Accounts directly under a registered OU are enrolled automatically. Accounts further down the tree can be enrolled by registering their immediate parent OU.

  3. Preventive controls (SCPs) are inherited down the hierarchy automatically; SCPs applied to the parent are inherited by all nested OUs.

  4. Detective controls (AWS Config rules) are NOT inherited automatically.

  5. Compliance with detective controls is reported by each OU.

  6. SCP drift on an OU affects all accounts and OUs under it.

  7. You cannot create new nested OUs under the Security OU (Core OU).

Detective control concurrency

November 5, 2021

(Optional update for AWS Control Tower landing zone)

AWS Control Tower detective controls now support concurrent operations for detective controls, improving the ease of use and performance. You can enable multiple detective controls without waiting for individual control operations to complete.

Supported functionality:

  • Enable different detective controls on the same OU (for example, Detect Whether MFA for the Root User is Enabled and Detect Whether Public Write Access to Amazon S3 Buckets is Allowed).

  • Enable different detective controls on different OUs, concurrently.

  • Guardrail error messaging has been improved to give additional guidance for supported control concurrency operations.

Not supported in this release:

  • Enabling the same detective control on multiple OUs concurrently is not supported.

  • Preventive control concurrency is not supported.

You can experience the detective control concurrency improvements in all versions of AWS Control Tower. It is recommended that customers not currently on version 2.7 perform a landing zone update to take advantage of other features, such as Region selection and deselection, which are available in the latest version.

Two new Regions available

July 29, 2021

(Update required for AWS Control Tower landing zone)

AWS Control Tower is now available in two additional AWS Regions: South America (Sao Paulo), and Europe (Paris). This update expands AWS Control Tower availability to 15 AWS Regions.

If you are new to AWS Control Tower, you can launch it right away in any of the supported Regions. During the launch, you can select the Regions in which you want AWS Control Tower to build and govern your multi-account environment.

If you already have an AWS Control Tower environment and you want to extend or remove AWS Control Tower governance features in one or more supported Regions, go to the Landing Zone Settings page in your AWS Control Tower dashboard, then select the Regions. After updating your landing zone, you must then update all accounts that are governed by AWS Control Tower.

Region deselection

July 29, 2021

(Optional update for AWS Control Tower landing zone)

AWS Control Tower Region deselection enhances your ability to manage the geographical footprint of your AWS Control Tower resources. You can deselect Regions you would no longer like AWS Control Tower to govern. This feature provides you with the capability to address compliance and regulatory concerns while balancing the costs associated with expanding into additional Regions.

Region deselection is available when you update your AWS Control Tower landing zone version.

When you use Account Factory to create a new account or enroll a pre-existing member account, or when you select Extend Governance to enroll accounts in a pre-existing organizational unit, AWS Control Tower deploys its governance capabilities—which include centralized logging, monitoring, and controls— in your chosen Regions in the accounts. Choosing to deselect a Region and remove AWS Control Tower governance from that Region removes that governance functionality, but it does not inhibit your users’ ability to deploy AWS resources or workloads into those Regions.

AWS Control Tower works with AWS Key Management Systems

July 28, 2021

(Optional update for AWS Control Tower landing zone)

AWS Control Tower provides you the option to use an AWS Key Management Service (AWS KMS) key. A key is provided and managed by you, to secure the services that AWS Control Tower deploys, including AWS CloudTrail, AWS Config, and the associated Amazon S3 data. AWS KMS encryption is an enhanced level of encryption over the SSE-S3 encryption that AWS Control Tower uses by default.

The integration of AWS KMS support into AWS Control Tower aligns with the AWS Foundational Security Best Practices, which recommend an added layer of security for your sensitive log files. You should use AWS KMS–managed keys (SSE-KMS) for encryption at rest. AWS KMS encryption support is available when you set up a new landing zone or when you update your existing AWS Control Tower landing zone.

To configure this functionality, you can select KMS Key Configuration during your initial landing zone setup. You can choose an existing KMS key, or you can select a button that directs you to the AWS KMS console to create a new one. You also have the flexibility to change from default encryption to SSE-KMS, or to a different SSE-KMS key.

For an existing AWS Control Tower landing zone, you can perform an update to start using AWS KMS keys.

Controls renamed, functionality unchanged

July 26, 2021

(No update required for AWS Control Tower landing zone)

AWS Control Tower is revising certain control names and descriptions to better reflect the policy intentions of the control. The revised names and descriptions help you understand more intuitively the ways in which controls embody the policies of your accounts. For example, we changed part of the names of detective controls from “Disallow” to “Detect” because the detective control itself does not stop a specific action, it only detects policy violations and provides alerts through the dashboard.

Control functionality, guidance, and implementation remain unchanged. Only the control names and descriptions have been revised.

AWS Control Tower scans SCPs daily to check for drift

May 11, 2021

(No update required for AWS Control Tower landing zone)

AWS Control Tower now performs daily automated scans of your managed SCPs to verify that the corresponding controls are applied correctly and that they have not drifted. If a scan discovers drift, you will receive a notification. AWS Control Tower sends only one notification per drift issue, so if your landing zone already is in a state of drift, you will not receive additional notifications unless a new drift item is found.

Customized names for OUs and accounts

April 16, 2021

(No update required for AWS Control Tower landing zone)

AWS Control Tower now allows you to customize your landing zone naming. You can retain the names that AWS Control Tower recommends for the organizational units (OUs) and core accounts, or you can modify these names during the initial landing zone set up process.

The default names that AWS Control Tower provides for the OUs and core accounts match the AWS multi-account best practices guidance. However, if your company has specific naming policies, or if you already have an existing OU or account with the same recommended name, the new OU and account naming functionality gives you the flexibility to address those constraints.

Separately from that workflow change during setup, the OU formerly known as the Core OU is now called the Security OU, and the OU formerly known as the Custom OU is now called the Sandbox OU. We made this change to improve our alignment with overall AWS best practices guidance for naming.

New customers will see these new OU names. Existing customers will continue to see the original names of these OUs. You may encounter some inconsistencies in OU naming while we are updating our documentation to the new names.

To get started with AWS Control Tower from the AWS Management Console, go to the AWS Control Tower console, and select Set up landing zone in the top right. For additional information, you can read about planning your AWS Control Tower landing zone.

AWS Control Tower landing zone version 2.7

April 8, 2021

(Update required for AWS Control Tower landing zone to version 2.7. For information, see Update Your Landing Zone)

With AWS Control Tower version 2.7, AWS Control Tower introduces four new mandatory preventative Log Archive controls that implement policy solely on AWS Control Tower resources. We have adjusted the guidance on four existing Log Archive controls from mandatory to elective, because they set policy for resources outside of AWS Control Tower. This control change and expansion provides the ability to separate Log Archive governance for resources within AWS Control Tower from governance of resources outside of AWS Control Tower.

The four changed controls can be used in conjunction with the new mandatory controls to provide governance to a broader set of AWS Log Archives. Existing AWS Control Tower environments will keep these four changed controls enabled automatically, for environment consistency; however, these elective controls now can be disabled. New AWS Control Tower environments must enable all elective controls. Existing environments must disable the formerly mandatory controls before adding encryption to Amazon S3 buckets that are not deployed by AWS Control Tower.

New mandatory controls:

  • Disallow Changes to Encryption Configuration for AWS Control Tower Created S3 Buckets in Log Archive

  • Disallow Changes to Logging Configuration for AWS Control Tower Created S3 Buckets in Log Archive

  • Disallow Changes to Bucket Policy for AWS Control Tower Created S3 Buckets in Log Archive

  • Disallow Changes to Lifecycle Configuration for AWS Control Tower Created S3 Buckets in Log Archive

Guidance changed from Mandatory to Elective:

  • Disallow Changes to Encryption Configuration for all Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive]

  • Disallow Changes to Logging Configuration for all Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive]

  • Disallow Changes to Bucket Policy for all Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive]

  • Disallow Changes to Lifecycle Configuration for all Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]

AWS Control Tower version 2.7 includes changes to the AWS Control Tower landing zone blueprint that can cause incompatibility with previous versions after you upgrade to 2.7.

  • In particular, AWS Control Tower version 2.7 enables BlockPublicAccess automatically on S3 buckets deployed by AWS Control Tower. You can turn this default off if your workload requires access across accounts. For more information about what happens with BlockPublicaccess enabled, see Blocking public access to your Amazon S3 storage.

  • AWS Control Tower version 2.7 includes a requirement for HTTPS. All requests sent to S3 buckets deployed by AWS Control Tower must use secure socket layer (SSL). Only HTTPS requests are allowed to pass. If you use HTTP (without SSL) as an endpoint to send the requests, this change gives you an access denied error, which can potentially break your workflow. This change cannot be reverted after the 2.7 update to your landing zone.

    We recommend that you change your requests to use TLS instead of HTTP.

Three new AWS Regions available

April 8, 2021

(Update required for AWS Control Tower landing zone)

AWS Control Tower is available in three additional AWS Regions: Asia Pacific (Tokyo) Region, Asia Pacific (Seoul) Region, and Asia Pacific (Mumbai) Region. A landing zone update to version 2.7 is required for expanding governance into these Regions.

Your landing zone is not expanded automatically into these Regions when you perform the update to version 2.7, you must view and select them in the Regions table for inclusion.

Govern selected Regions only

February 19, 2021

(No update required for AWS Control Tower landing zone)

AWS Control Tower Region selection provides better ability to manage the geographical footprint of your AWS Control Tower resources. To expand the number of Regions in which you host AWS resources or workloads – for compliance, regulatory, cost, or other reasons – you can now select the additional Regions to govern.

Region selection is available when you set up a new landing zone or update your AWS Control Tower landing zone version. When you use Account Factory to create a new account or enroll a pre-existing member account, or when you use Extend Governance to enroll accounts in a pre-existing organizational unit, AWS Control Tower deploys its governance capabilities of centralized logging, monitoring, and controls in your chosen Regions in the accounts. For more information about selecting Regions, see Configure your AWS Control Tower Regions.

AWS Control Tower now extends governance to existing OUs in your AWS organizations

January 28, 2021

(No update required for AWS Control Tower landing zone)

Extend governance to existing organizational units (OUs) (those not in AWS Control Tower) from within the AWS Control Tower console. With this feature, you can bring top-level OUs and included accounts under AWS Control Tower governance. For information about extending governance to an entire OU, see Register an existing organizational unit with AWS Control Tower.

When you register an OU, AWS Control Tower performs a series of checks to ensure successful extension of governance and enrollment of accounts within the OU. For more information about common issues associated with the initial registration of an OU, see Common causes of failure during registration or re-registration.

You can also visit the AWS Control Tower product webpage or visit YouTube to watch this video about getting started with AWS Control Tower for AWS Organizations.

AWS Control Tower provides bulk account updates

January 28, 2021

(No update required for AWS Control Tower landing zone)

With the bulk update feature, you can now update all accounts in a registered AWS Organizations organizational unit (OU) containing up to 300 accounts, with a single click, from the AWS Control Tower dashboard. This is particularly useful in cases where you update your AWS Control Tower landing zone and must also update your enrolled accounts to align them to the current landing zone version.

This feature also helps you keep your accounts up to date when you update your AWS Control Tower landing zone to expand to new regions, or when you want to re-register an OU to ensure that all accounts in that OU have the latest controls applied. Bulk account update eliminates the need to update one account at a time or use an external script to perform the update on multiple accounts.

For information about updating a landing zone, see Update Your Landing Zone.

For information about registering or re-registering an OU, see Register an existing organizational unit with AWS Control Tower.