January 2022 - Present - AWS Control Tower

January 2022 - Present

Since January 2022, AWS Control Tower has released the following updates:

Account Factory Customization (AFC)

November 28, 2022

(No update required for AWS Control Tower landing zone.)

Account factory customization allows you to customize new and existing accounts from within the AWS Control Tower console. These new customization capabilities give you the flexibility to define account blueprints, which are AWS CloudFormation templates contained in a specialized AWS Service Catalog product. Blueprints provision fully customized resources and configurations. You also may choose use pre-defined blueprints, built and managed by AWS partners, that help you customize accounts for specific use cases.

Previously, AWS Control Tower account factory did not support account customization in the console. With this update of account factory, you can pre-define account requirements and implement them as part of a well-defined workflow. You can apply blueprints to create new accounts, to enroll other AWS accounts into AWS Control Tower, and to update existing AWS Control Tower accounts.

When you provision, enroll, or update an account in account factory, you will select the blueprint to deploy. Those resources specified in the blueprint are provisioned in your account. When your account has finished building, all of the custom configurations are available for use immediately.

To get started with customizing accounts, you can define the resources for your intended use case in a AWS Service Catalog product. You also can select partner-managed solutions from the AWS Getting Started Library. For more information, see Customize accounts with Account Factory Customization (AFC).

Comprehensive controls assist in AWS resource provisioning and management

November 28, 2022

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports comprehensive controls management, including new, optional proactive controls, implemented through AWS CloudFormation hooks. These controls are referred to as proactive because they check your resources – before the resources are deployed – to determine whether the new resources will comply with the controls that are activated in your environment.

Over 130 new proactive controls assist you with meeting specific policy objectives for your AWS Control Tower environment; with meeting requirements of industry-standard compliance frameworks; and with governing AWS Control Tower interactions across more than twenty other AWS services.

The AWS Control Tower controls library classifies these controls according to the associated AWS services and resources. For more details, see Proactive controls.

With this release, AWS Control Tower also is integrated with AWS Security Hub, by means of the new Security Hub Service-Managed Standard: AWS Control Tower, which supports the AWS Foundational Security Best Practices (FSBP) standard. You can view over 160 Security Hub controls alongside AWS Control Tower controls in the console, and you can obtain an Security Hub security score for your AWS Control Tower environment. For more information, see Security Hub standard.

Compliance status viewable for all AWS Config rules

November 18, 2022

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now displays the compliance status of all AWS Config rules deployed into organizational units registered with AWS Control Tower. You can view the compliance status of all AWS Config rules that affect your accounts in AWS Control Tower, enrolled or unenrolled, without navigating outside of the AWS Control Tower console. Customers can choose to set up Config rules, called detective controls, in AWS Control Tower, or to set them up directly through the AWS Config service. The rules deployed by AWS Config are shown, along with the rules deployed by AWS Control Tower.

Previously, AWS Config rules deployed through the AWS Config service were not visible in the AWS Control Tower console. Customers had to navigate to the AWS Config service to identify non-compliant AWS Config rules. Now you can identify any non-compliant AWS Config rule within the AWS Control Tower console. To view the compliance status of all your Config rules, navigate to the Account details page in the AWS Control Tower console. You will see a list showing the compliance status of controls managed by AWS Control Tower and Config rules deployed outside of AWS Control Tower.

API for controls and a new AWS CloudFormation resource

September 1, 2022

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports programmatic management of controls, also known as guardrails, through a set of API calls. A new AWS CloudFormation resource supports the API functionality for controls. For more details, see Automate tasks in AWS Control Tower and Creating AWS Control Tower resources with AWS CloudFormation.

These APIs allow you to enable, disable, and view the application status of controls in the AWS Control Tower library. The APIs include support for AWS CloudFormation, so you can manage AWS resources as infrastructure-as-code (IaC). AWS Control Tower provides optional preventive and detective controls that express your policy intentions regarding an entire organizational unit (OU), and every AWS account within the OU. These rules remain in effect as you create new accounts or make changes to existing accounts.

APIs included in this release

  • EnableControl– This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains.

  • DisableControl– This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains.

  • GetControlOperation– Returns the status of a particular EnableControl or DisableControl operation.

  • ListEnabledControls– Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

To view a list of control names for optional controls, see Resource identifiers for APIs and controls, in the AWS Control Tower User Guide.

CfCT supports stack set deletion

August 26, 2022

(No update required for AWS Control Tower landing zone.)

Customizations for AWS Control Tower (CfCT) now supports stack set deletion, by setting a parameter in the manifest.yaml file. For more information, see Delete a stack set.

Important

When you initially set the value of enable_stack_set_deletion to true, the next time you invoke CfCT, ALL resources that begin with the prefix CustomControlTower-, which have the associated key tag Key:AWS_Solutions, Value: CustomControlTowerStackSet, and which are not declared in the manifest file, are staged for deletion.

Customized log retention

August 15, 2022

(Update required for AWS Control Tower landing zone. For information, see Update Your Landing Zone)

AWS Control Tower now provides the ability to customize the retention policy for Amazon S3 buckets that store your AWS Control Tower CloudTrail logs. You can customize your Amazon S3 log retention policy, in increments of days or years, up to a maximum of 15 years.

If you choose not customize your log retention, the default settings are 1 year for standard account logging, and 10 years for access logging.

This feature is available for existing customers through AWS Control Tower when you update or repair your landing zone, and for new customers through the AWS Control Tower setup process.

Role drift repair available

August 11, 2022

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports repair for role drift. You can restore a required role without a full repair of your landing zone. If this type of drift repair is needed, the console error page provides steps for restoring the role, so that your landing zone is once again available.

AWS Control Tower landing zone version 3.0

July 29, 2022

(Update required for AWS Control Tower landing zone to version 3.0. For information, see Update Your Landing Zone)

AWS Control Tower landing zone version 3.0 includes the following updates:

  • The option to choose organization-level AWS CloudTrail trails, or to opt out of CloudTrail trails managed by AWS Control Tower.

  • Two new detective controls to determine whether AWS CloudTrail is logging activity in your accounts.

  • The option to aggregate AWS Config information about global resources in your home Region only.

  • An update to the Region deny control.

  • An update to the managed policy, AWSControlTowerServiceRolePolicy.

  • We no longer create the IAM role aws-controltower-CloudWatchLogsRole and the CloudWatch log group aws-controltower/CloudTrailLogs in each enrolled account. Previously, we created these in each account for its account trail. With organization trails, we only create one in the management account.

The following sections provide more details about each new capability.

Organization-level CloudTrail trails in AWS Control Tower

With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails.

When you update your AWS Control Tower landing zone to version 3.0, you have the option to select organization-level AWS CloudTrail trails as your logging preference, or to opt out of CloudTrail trails that are managed by AWS Control Tower. When you update to version 3.0, AWS Control Tower deletes the existing account-level trails for enrolled accounts after a 24-hour waiting period. AWS Control Tower does not delete account-level trails for unenrolled accounts. Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that AWS manages. Instead, AWS Control Tower creates an organization-level trail, which is active or inactive, according to your selection.

Note

After you update to version 3.0 or later, you do not have the option to continue with account-level CloudTrail trails managed by AWS Control Tower.

No logging data is lost from your aggregated account logs, because the logs remain in the existing Amazon S3 bucket where they are stored. Only the trails are deleted, not the existing logs. If you select the option to add organization-level trails, AWS Control Tower opens a new path to a new folder within your Amazon S3 bucket and continues sending logging information to that location. If you choose to opt out of trails managed by AWS Control Tower, your existing logs remain in the bucket, unchanged.

Path naming conventions for log storage

  • Account trail logs are stored with a path of this form: /org id/AWSLogs/…

  • Organization trail logs are stored with a path of this form: /org id/AWSLogs/org id/…

The path that AWS Control Tower creates for your organization-level CloudTrail trails is different than the default path for a manually-created organization-level trail, which would have the following form:

  • /AWSLogs/org id/…

For more information about CloudTrail path naming, see Finding your CloudTrail log files.

Tip

If you plan to create and manage your own account-level trails, we recommend that you create the new trails before you complete the update to AWS Control Tower landing zone version 3.0, to start logging right away.

At any time, you may choose to create new account-level or organization-level CloudTrail trails and manage them on your own. The option to choose organization-level CloudTrail trails managed by AWS Control Tower is available during any landing zone update to version 3.0 or later. You can opt into and opt out of organization-level trails, whenever you update your landing zone.

If your logs are managed by a third-party service, be sure to give the new path name to your service.

Note

For landing zones at version 3.0 or later, account-level AWS CloudTrail trails are not supported by AWS Control Tower. You can create and maintain your own account-level trails at any time, or you can opt into organization-level trails managed by AWS Control Tower.

Record AWS Config resources in the home Region only

In landing zone version 3.0, AWS Control Tower has updated the baseline configuration for AWS Config so that it records global resources in the home Region only. After you update to version 3.0, resource recording for global resources is enabled only in your home Region.

This configuration is considered a best practice. It is recommended by AWS Security Hub and AWS Config, and it creates cost savings by reducing the number of configuration items created when global resources are created, modified, or deleted. Previously, each time a global resources was created, updated, or deleted, whether by a customer or by an AWS service, a configuration item was created for each item in each governed Region.

Two new detective controls for AWS CloudTrail logging

As part of the change to organization-level AWS CloudTrail trails, AWS Control Tower is introducing two new detective controls that check whether CloudTrail is enabled. The first control has Mandatory guidance, and it is enabled on the Security OU during setup or landing zone updates of 3.0 and later. The second control has Strongly recommended guidance, and it is optionally applied to any OUs other than the Security OU, which already has the mandatory control protection enforced.

Mandatory control: Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled

Strongly recommended control: Detect whether an account has AWS CloudTrail or CloudTrail Lake enabled

For more information about the new controls, see the The AWS Control Tower controls library.

An update to the Region deny control

We updated the NotAction list in the Region deny control to include actions by some additional services, listed below:

“chatbot:*”, "s3:GetAccountPublic", "s3:DeleteMultiRegionAccessPoint", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:ListMultiRegionAccessPoints", "s3:GetStorageLensConfiguration", “s3:GetStorageLensDashboard", “s3:ListStorageLensConfigurations” “s3:GetAccountPublicAccessBlock“,, “s3:PutAccountPublic", “s3:PutAccountPublicAccessBlock“,

Video Walkthrough

This video (3:07) describes how to update your existing AWS Control Tower landing zone to version 3. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.

The Organization page combines views of OUs and accounts

July 18, 2022

(No update required for AWS Control Tower landing zone)

The new Organization page in AWS Control Tower shows a hierarchical view of all organizational units (OUs) and accounts. It combines the information from the OUs and Accounts pages, which existed previously.

On the new page, you can see relationships between parent OUs and their nested OUs and accounts, You can take action on groupings of resources. You can configure the page view. For example, you can expand or collapse the hierarchical view, filter the view to see accounts or OUs only, choose to view only your enrolled accounts and registered OUs, or you can view groups of related resources. It is easier to ensure that your entire organization is updated properly.

Easier enroll and update for individual member accounts

May 31, 2022

(No update required for AWS Control Tower landing zone)

AWS Control Tower now gives you an improved capability to update and enroll member accounts individually. Each account shows when it is available for an update, so you can more easily ensure that your member accounts include the latest configuration. You can update your landing zone, remediate account drift, or enroll an account into a registered OU, in a few streamlined steps.

When you update an account, there’s no need to include an account’s entire organizational unit (OU) in each update action. As a result, the time required to update an individual account is greatly reduced.

You can enroll accounts into AWS Control Tower OUs with more help from the AWS Control Tower console. Existing accounts that you enroll in AWS Control Tower must still meet the account prerequisites, and you must add the AWSControlTowerExecution role. Then, you can choose any registered OU and enroll the account into it by selecting the Enroll button.

We’ve separated the Enroll account functionality from the Create account workflow in account factory, to create more distinction between these similar processes, and help avoid setup errors when you’re entering account information.

AFT supports automated customization for shared AWS Control Tower accounts

May 27, 2022

(No update required for AWS Control Tower landing zone)

Account Factory for Terraform (AFT) now can programmatically customize and update any of your accounts that are managed by AWS Control Tower, including the management account, audit account, and log archive account, along with your enrolled accounts. You can centralize your account customization and update management, while protecting the security of your account configurations, because you scope the role that carries out the work.

The existing AWSAFTExecution role now deploys customizations in all accounts. You can set up IAM permissions with boundaries that limit the access of the AWSAFTExecution role according to your business and security requirements. You also can programmatically delegate the approved customization permissions in that role, for trusted users. As a best practice, we recommend that you restrict permissions to those that are necessary to deploy the required customizations.

AFT now creates the new AWSAFTService role to deploy AFT resources in all managed accounts, including the shared accounts and management account. Resources formerly were deployed by the AWSAFTExecution role.

The AWS Control Tower shared and management accounts are not provisioned through account factory, so they do not have corresponding provisioned products in AWS Service Catalog. Therefore, you are not able to update the shared and management accounts in AWS Service Catalog.

Concurrent operations for all optional controls

May 18, 2022

(No update required for AWS Control Tower landing zone)

AWS Control Tower now supports concurrent operations for preventive controls, as well as for detective controls.

With this new feature, any optional control now can be applied or removed concurrently, thereby improving the ease of use and performance for all optional controls. You can enable multiple optional controls without waiting for individual control operations to complete. The only restricted times are when AWS Control Tower is in the process of landing zone setup, or while extending governance to a new organization.

Supported functionality for preventive controls:

  • Apply and remove different preventive controls on the same OU.

  • Apply and remove different preventive controls on different OUs, concurrently.

  • Apply and remove the same preventive control on multiple OUs, concurrently.

  • You can apply and remove any preventive and detective controls, concurrently.

You can experience these control concurrency improvements in all released versions of AWS Control Tower.

When you apply preventive controls to nested OUs, the preventive controls affect all accounts and OUs nested under the target OU, even if those accounts and OUs are not registered with AWS Control Tower. Preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations. Detective controls are implemented using AWS Config rules. Guardrails remain in effect as you create new accounts or make changes to your existing accounts, and AWS Control Tower provides a summary report of how each account conforms to your enabled policies. For a full list of available controls, see the The AWS Control Tower controls library.

Existing security and logging accounts

May 16, 2022

(Available during initial setup.)

AWS Control Tower now provides the option for you to specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process. This option eliminates the need for AWS Control Tower to create new, shared accounts. The security account, which is called the Audit account by default, is a restricted account that gives your security and compliance teams access to all accounts in your landing zone. The logging account, which is called the Log Archive account by default, works as a repository. It stores logs of API activities and resource configurations from all accounts in your landing zone.

By bringing your existing security and logging accounts, it is easier to extend AWS Control Tower governance into your existing organizations, or to move to AWS Control Tower from an alternate landing zone. The option for you to use existing accounts is displayed during the initial landing zone setup. It includes checks during the setup process, which ensure successful deployment. AWS Control Tower implements the necessary roles and controls on your existing accounts. It does not remove or merge any existing resources or data that exists in these accounts.

Limitation: If you plan to bring existing AWS accounts into AWS Control Tower as audit and log archive accounts, and if those accounts have existing AWS Config resources, you must delete the existing AWS Config resources before you can enroll the accounts into AWS Control Tower.

AWS Control Tower landing zone version 2.9

April 22, 2022

(Update required for AWS Control Tower landing zone to version 2.9. For information, see Update Your Landing Zone)

AWS Control Tower landing zone version 2.9 updates the notification forwarder Lambda to use the Python version 3.9 runtime. This update addresses the deprecation of Python version 3.6, which is planned for July of 2022. For the latest information, see the Python deprecation page.

AWS Control Tower landing zone version 2.8

February 10, 2022

(Update required for AWS Control Tower landing zone to version 2.8. For information, see Update Your Landing Zone)

AWS Control Tower landing zone version 2.8 adds functionality that aligns with recent updates to the AWS Foundational Security Best Practices.

In this release:

  • Access logging is configured for the access log bucket in the Log Archive account, to keep track of access to the existing S3 access log bucket.

  • Support for lifecycle policy is added. The access log for the existing S3 access log bucket is set to a default retention time of 10 years.

  • Additionally, this release updates AWS Control Tower to use the AWS Service Linked Role (SLR) provided by AWS Config, in all managed accounts (not including the management account), so that you can set up and manage Config rules to match AWS Config best practices. Customers who do not upgrade will continue to use their existing role.

  • This release streamlines the AWS Control Tower KMS configuration process for encrypting Config data, and it improves the related status messaging in CloudTrail.

  • The release includes an update to the Region deny control, to allow for the route53-application-recovery feature in us-west-2.

  • Update: On February 15, 2022, we removed the dead letter queue for AWS Lambda functions.

Additional details:

  • If you decommission your landing zone, AWS Control Tower does not remove the AWS Config service-linked role.

  • If you deprovision an Account Factory account, AWS Control Tower does not remove the AWS Config service-linked role.

To update your landing zone to 2.8, navigate to the Landing zone settings page, select the 2.8 version, and then choose Update. After you update your landing zone, you must update all accounts that are governed by AWS Control Tower, as given in Configuration update management in AWS Control Tower.