January 2022 - Present - AWS Control Tower

January 2022 - Present

Since January 2022, AWS Control Tower has released the following updates:

Customized log retention

August 15, 2022

(Update required for AWS Control Tower landing zone. For information, see Update Your Landing Zone)

AWS Control Tower now provides the ability to customize the retention policy for Amazon S3 buckets that store your AWS Control Tower CloudTrail logs. You can customize your Amazon S3 log retention policy, in increments of days or years, up to a maximum of 15 years.

If you choose not customize your log retention, the default settings are 1 year for standard account logging, and 10 years for access logging.

This feature is available for existing customers through AWS Control Tower when you update or repair your landing zone, and for new customers through the AWS Control Tower setup process.

Role drift repair available

August 11, 2022

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports repair for role drift. You can restore a required role without a full repair of your landing zone. If this type of drift repair is needed, the console error page provides steps for restoring the role, so that your landing zone is once again available.

AWS Control Tower landing zone version 3.0

July 26, 2022

(Update required for AWS Control Tower landing zone to version 3.0. For information, see Update Your Landing Zone)

AWS Control Tower landing zone version 3.0 includes the following updates:

  • The option to choose organization-level AWS CloudTrail trails, or to opt out of CloudTrail trails managed by AWS Control Tower.

  • Two new detective guardrails to determine whether AWS CloudTrail is logging activity in your accounts.

  • The option to aggregate AWS Config information about global resources in your home Region only.

  • An update to the Region deny guardrail.

  • An update to the managed policy, AWSControlTowerServiceRolePolicy.

  • We no longer create the IAM role aws-controltower-CloudWatchLogsRole and the CloudWatch log group aws-controltower/CloudTrailLogs in each enrolled account. Previously, we created these in each account for its account trail. With organization trails, we only create one in the management account.

The following sections provide more details about each new capability.

Organization-level CloudTrail trails in AWS Control Tower

With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails.

When you update your AWS Control Tower landing zone to version 3.0, you have the option to select organization-level AWS CloudTrail trails as your logging preference, or to opt out of CloudTrail trails that are managed by AWS Control Tower. When you update to version 3.0, AWS Control Tower deletes your existing account-level trails after a 24-hour waiting period. Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that we manage. Instead, AWS Control Tower creates an organization-level trail, which is active or inactive, according to your selection.

Note

After you update to version 3.0 or later, you do not have the option to continue with account-level CloudTrail trails managed by AWS Control Tower.

No logging data is lost from your aggregated account logs, because the logs remain in the existing Amazon S3 bucket where they are stored. Only the trails are deleted, not the existing logs. If you select the option to add organization-level trails, AWS Control Tower opens a new path to a new folder within your Amazon S3 bucket and continues sending logging information to that location. If you choose to opt out of trails managed by AWS Control Tower, your existing logs remain in the bucket, unchanged.

Path naming conventions for log storage

  • Account trail logs are stored with a path of this form: /org id/AWSLogs/…

  • Organization trail logs are stored with a path of this form: /AWSLogs/org id/…

Tip

If you plan to create and manage your own account-level trails, we recommend that you create the new trails before you complete the update to AWS Control Tower landing zone version 3.0, to start logging right away.

At any time, you may choose to create new account-level or organization-level CloudTrail trails and manage them on your own. The option to choose organization-level CloudTrail trails managed by AWS Control Tower is available during any landing zone update to version 3.0 or later. You can opt into and opt out of organization-level trails, whenever you update your landing zone.

If your logs are managed by a third-party service, be sure to give the new path name to your service.

Note

For landing zones at version 3.0 or later, account-level AWS CloudTrail trails are not supported by AWS Control Tower. You can create and maintain your own account-level trails at any time, or you can opt into organization-level trails managed by AWS Control Tower.

Record AWS Config resources in the home Region only

In landing zone version 3.0, AWS Control Tower has updated the baseline configuration for AWS Config so that it records global resources in the home Region only. After you update to version 3.0, resource recording for global resources is enabled only in your home Region.

This configuration is considered a best practice. It is recommended by AWS Security Hub and AWS Config, and it creates cost savings by reducing the number of configuration items created when global resources are created, modified, or deleted. Previously, each time a global resources was created, updated, or deleted, whether by a customer or by an AWS service, a configuration item was created for each item in each governed Region.

Two new detective guardrails for AWS CloudTrail logging

As part of the change to organization-level AWS CloudTrail trails, AWS Control Tower is introducing two new detective guardrails that check whether CloudTrail is enabled. The first guardrail has Mandatory guidance, and it is enabled on the Security OU during setup or landing zone updates of 3.0 and later. The second guardrail has Strongly recommended guidance, and it is optionally applied to any OUs other than the Security OU, which already has the mandatory guardrail protection enforced.

Mandatory guardrail: Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled

Strongly recommended guardrail: Detect whether an account has AWS CloudTrail or CloudTrail Lake enabled

For more information about the new guardrails, see the Guardrail reference.

An update to the Region deny guardrail

We updated the NotAction list in the Region deny guardrail to include actions by some additional services, listed below:

“chatbot:*”, "s3:GetAccountPublic", "s3:DeleteMultiRegionAccessPoint", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:ListMultiRegionAccessPoints", "s3:GetStorageLensConfiguration", “s3:GetStorageLensDashboard", “s3:ListStorageLensConfigurations” “s3:GetAccountPublicAccessBlock“,, “s3:PutAccountPublic", “s3:PutAccountPublicAccessBlock“,

Video Walkthrough

This video (3:07) describes how to update your existing AWS Control Tower landing zone to version 3. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.

The Organization page combines views of OUs and accounts

July 18, 2022

(No update required for AWS Control Tower landing zone)

The new Organization page in AWS Control Tower shows a hierarchical view of all organizational units (OUs) and accounts. It combines the information from the OUs and Accounts pages, which existed previously.

On the new page, you can see relationships between parent OUs and their nested OUs and accounts, You can take action on groupings of resources. You can configure the page view. For example, you can expand or collapse the hierarchical view, filter the view to see accounts or OUs only, choose to view only your enrolled accounts and registered OUs, or you can view groups of related resources. It is easier to ensure that your entire organization is updated properly.

Easier enroll and update for individual member accounts

May 31, 2022

(No update required for AWS Control Tower landing zone)

AWS Control Tower now gives you an improved capability to update and enroll member accounts individually. Each account shows when it is available for an update, so you can more easily ensure that your member accounts include the latest configuration. You can update your landing zone, remediate account drift, or enroll an account into a registered OU, in a few streamlined steps.

When you update an account, there’s no need to include an account’s entire organizational unit (OU) in each update action. As a result, the time required to update an individual account is greatly reduced.

You can enroll accounts into AWS Control Tower OUs with more help from the AWS Control Tower console. Existing accounts that you enroll in AWS Control Tower must still meet the account prerequisites, and you must add the AWSControlTowerExecution role. Then, you can choose any registered OU and enroll the account into it by selecting the Enroll button.

We’ve separated the Enroll account functionality from the Create account workflow in account factory, to create more distinction between these similar processes, and help avoid setup errors when you’re entering account information.

AFT supports automated customization for shared AWS Control Tower accounts

May 27, 2022

(No update required for AWS Control Tower landing zone)

Account Factory for Terraform (AFT) now can programmatically customize and update any of your accounts that are managed by AWS Control Tower, including the management account, audit account, and log archive account, along with your enrolled accounts. You can centralize your account customization and update management, while protecting the security of your account configurations, because you scope the role that carries out the work.

The existing AWSAFTExecution role now deploys customizations in all accounts. You can set up IAM permissions with boundaries that limit the access of the AWSAFTExecution role according to your business and security requirements. You also can programmatically delegate the approved customization permissions in that role, for trusted users. As a best practice, we recommend that you restrict permissions to those that are necessary to deploy the required customizations.

AFT now creates the new AWSAFTService role to deploy AFT resources in all managed accounts, including the shared accounts and management account. Resources formerly were deployed by the AWSAFTExecution role.

The AWS Control Tower shared and management accounts are not provisioned through account factory, so they do not have corresponding provisioned products in AWS Service Catalog. Therefore, you are not able to update the shared and management accounts in AWS Service Catalog.

Concurrent operations for all optional guardrails

May 18, 2022

(No update required for AWS Control Tower landing zone)

AWS Control Tower now supports concurrent operations for preventive guardrails, as well as for detective guardrails.

With this new feature, any optional guardrail now can be applied or removed concurrently, thereby improving the ease of use and performance for all optional guardrails. You can enable multiple optional guardrails without waiting for individual guardrail operations to complete. The only restricted times are when AWS Control Tower is in the process of landing zone setup, or while extending governance to a new organization.

Supported functionality for preventive guardrails:

  • Apply and remove different preventive guardrails on the same OU.

  • Apply and remove different preventive guardrails on different OUs, concurrently.

  • Apply and remove the same preventive guardrail on multiple OUs, concurrently.

  • You can apply and remove any preventive and detective guardrails, concurrently.

You can experience these guardrail concurrency improvements in all released versions of AWS Control Tower.

When you apply preventive guardrails to nested OUs, the preventive guardrails affect all accounts and OUs nested under the target OU, even if those accounts and OUs are not registered with AWS Control Tower. Preventive guardrails are implemented using Service Control Policies (SCPs), which are part of AWS Organizations. Detective guardrails are implemented using AWS Config rules. Guardrails remain in effect as you create new accounts or make changes to your existing accounts, and AWS Control Tower provides a summary report of how each account conforms to your enabled policies. For a full list of available guardrails, see the Guardrail reference.

Existing security and logging accounts

May 16, 2022

(Available during initial setup.)

AWS Control Tower now provides the option for you to specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process. This option eliminates the need for AWS Control Tower to create new, shared accounts. The security account, which is called the Audit account by default, is a restricted account that gives your security and compliance teams access to all accounts in your landing zone. The logging account, which is called the Log Archive account by default, works as a repository. It stores logs of API activities and resource configurations from all accounts in your landing zone.

By bringing your existing security and logging accounts, it is easier to extend AWS Control Tower governance into your existing organizations, or to move to AWS Control Tower from an alternate landing zone. The option for you to use existing accounts is displayed during the initial landing zone setup. It includes checks during the setup process, which ensure successful deployment. AWS Control Tower implements the necessary roles and controls on your existing accounts. It does not remove or merge any existing resources or data that exists in these accounts.

Limitation: If you plan to bring existing AWS accounts into AWS Control Tower as audit and log archive accounts, and if those accounts have existing AWS Config resources, you must delete the existing AWS Config resources before you can enroll the accounts into AWS Control Tower.

AWS Control Tower landing zone version 2.9

April 22, 2022

(Update required for AWS Control Tower landing zone to version 2.9. For information, see Update Your Landing Zone)

AWS Control Tower landing zone version 2.9 updates the notification forwarder Lambda to use the Python version 3.9 runtime. This update addresses the deprecation of Python version 3.6, which is planned for July of 2022. For the latest information, see the Python deprecation page.

AWS Control Tower landing zone version 2.8

February 10, 2022

(Update required for AWS Control Tower landing zone to version 2.8. For information, see Update Your Landing Zone)

AWS Control Tower landing zone version 2.8 adds functionality that aligns with recent updates to the AWS Foundational Security Best Practices.

In this release:

  • Access logging is configured for the access log bucket in the Log Archive account, to keep track of access to the existing S3 access log bucket.

  • Support for lifecycle policy is added. The access log for the existing S3 access log bucket is set to a default retention time of 10 years.

  • Additionally, this release updates AWS Control Tower to use the AWS Service Linked Role (SLR) provided by AWS Config, in all managed accounts (not including the management account), so that you can set up and manage Config rules to match AWS Config best practices. Customers who do not upgrade will continue to use their existing role.

  • This release streamlines the AWS Control Tower KMS configuration process for encrypting Config data, and it improves the related status messaging in CloudTrail.

  • The release includes an update to the Region deny guardrail, to allow for the route53-application-recovery feature in us-west-2.

  • Update: On February 15, 2022, we removed the dead letter queue for AWS Lambda functions.

Additional details:

  • If you decommission your landing zone, AWS Control Tower does not remove the AWS Config service-linked role.

  • If you deprovision an Account Factory account, AWS Control Tower does not remove the AWS Config service-linked role.

To update your landing zone to 2.8, navigate to the Landing zone settings page, select the 2.8 version, and then choose Update. After you update your landing zone, you must update all accounts that are governed by AWS Control Tower, as given in Configuration update management in AWS Control Tower.