January 2024 - Present
Since January 2024, AWS Control Tower has released the following updates:
Descriptive control API available, expanded access to Regions and controls
-
AWS Control Tower supports up to 100 concurrent control operations
-
AWS Control Tower updates and renames two proactive controls
-
AWS Control Tower supports tagging EnabledControl resources in AWS CloudFormation
-
AWS Control Tower supports APIs for OU registration and configuration with baselines
Descriptive control API available, expanded access to Regions and controls
August 1, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower added two new API operations that help you find more information about available controls, programmatically. This functionality makes it easier to deploy controls with automation.
-
The
GetControlAPI returns details about an enabled control, including the target identifier, a control information summary, a list of target Regions, and the drift status. -
The
ListControlsAPI returns a paginated list of all available controls in the AWS Control Tower library of controls.
These APIs are reached through the AWS Control Catalog namespace. The AWS Control Catalog is a part of AWS Control Tower, which includes controls that help you manage other AWS services, not just AWS Control Tower. This expanded catalog consolidates controls from several AWS services, so that you can view AWS controls according to some common use cases, such as: security, cost, durability, and operations. For more information, see the Control Catalog API Reference.
Expanded Region availability
Beginning with this release, you can extend AWS Control Tower governance into AWS Regions where some of your (already) enabled controls are not available. Also, you can now enable certain controls in more Regions, even though the control is not supported in all of your governed Regions.
Previously, AWS Control Tower prevented you from extending governance into Regions or enabling controls, when it did not offer consistency across all of your enabled controls and governed Regions. With this release, you have more flexibility, as well as more responsibility to ensure that your configuration is correct for all enabled controls and all governed Regions. The AWS Control Tower control APIs and the control catalog APIs can help you get information about the AWS Regions in which you are protected by enabled controls, and the Regions in which additional controls may be deployed. Region and control information also is available in the AWS Control Tower console.
AWS Control Tower supports AFT and CfCT in opt-in Regions
July 18, 2024
(No update required for AWS Control Tower landing zone.)
Today, AWS Control Tower customization frameworks Account Factory for Terraform (AFT) and Customizations for AWS Control Tower (CfCT) are available in five additional AWS Regions: Asia Pacific (Hyderabad, Jakarta and Osaka), Israel (Tel Aviv), and Middle East (UAE).
Account Factory for Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower. Customizations for AWS Control Tower (CfCT) helps you customize your AWS Control Tower landing zone and accounts with AWS CloudFormation templates and service control policies (SCPs).
To learn more, visit the Account Factory for Terraform and Customizations for AWS Control Tower pages; in the AWS Control Tower User Guide. You also may wish to review the release notes on the AFT Github page and the CfCT Github page. AFT and CfCT are supported in all AWS Regions, with some exceptions. For specifics, see Region limitations.
AWS Control Tower adds the
ListLandingZoneOperations API
June 26, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has added an API that allows you to retrieve a list of operations recently applied to your landing zone, and operations currently in progress. The API can return the history of landing zone operations and their identifiers for up to 90 days. For usage examples, see View the status of your landing zone operations.
For more information about the ListLandingZoneOperations API, see
ListLandingZoneOperations in the AWS Control Tower
API Reference.
AWS Control Tower supports up to 100 concurrent control operations
May 20, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports multiple control operations with higher concurrency. You can submit up to 100 AWS Control Tower control operations, across multiple organizational units (OUs), at the same time, from the console or with APIs. Up to ten (10) operations can run simultaneously, and the additional ones are queued. In this way, you can set up a more standardized configuration across multiple AWS accounts, without the operational burden of repetitive control operations.
To monitor the status of your ongoing and queued control operations, you can
navigate to the new Recent operations page in the AWS Control Tower
console, or you can call the new ListControlOperations API.
The AWS Control Tower library contains more than 500 controls, which map to different control objectives, frameworks, and services. For a specific control objective, such as Encrypt data at rest, you can enable multiple controls with a single control operation, to help you achieve the objective. This capability facilitates accelerated development, allows faster adoption of best practice controls, and mitigates operational complexities.
AWS Control Tower available in AWS Canada West (Calgary)
May 3, 2024
(No update required for AWS Control Tower landing zone.)
Starting today, you can activate AWS Control Tower in the Canada West (Calgary) Region. If you already have deployed AWS Control Tower and you want to extend its governance features to this Region, you can do so with the AWS Control Tower landing zone APIs. Or from the console, go to the Settings page in your AWS Control Tower dashboard, select your Regions, and then update your landing zone.
The Canada West (Calgary) Region does not support AWS Service Catalog. For this reason, some functionality of AWS Control Tower is different. The most notable functionality change is that Account Factory is not available. If you choose Canada West (Calgary) as your home Region, the procedures for updating accounts, setting up account automations, and any other processes that involve Service Catalog are different than in other Regions.
Provisioning accounts
To create and provision a new account in the Canada West (Calgary) Region, we recommend that you create an account outside of AWS Control Tower, and then enroll it into a registered OU. For more information, see Enroll an existing account and Steps to enroll an account.
The Service Catalog APIs are not available in Canada West (Calgary) Region. The example script shown in Automate account provisioning in AWS Control Tower by Service Catalog APIs is not workable.
Account Factory Customizations (AFC), Account Factory for Terraform (AFT), and Customizations for AWS Control Tower (CfCT) are not available in Canada West (Calgary), due to lack of other underlying dependencies for AWS Control Tower. If you extend governance to Canada West (Calgary) Region, you can continue to manage AFC blueprints in all Regions that AWS Control Tower supports, as long as Service Catalog is available in your home Region.
Controls
Proactive controls and controls for the AWS Security Hub Service-Managed
Standard: AWS Control Tower are not available in Canada West (Calgary) Region. The
preventive control CT.CLOUDFORMATION.PR.1 is not available in
Canada West (Calgary) because it is required only for activating the hook-based,
proactive controls. Certain detective controls based on AWS Config are not available. For
details, see Control limitations.
Identity provider
IAM Identity Center is not available in Canada West (Calgary). The best practice recommendation is to set up your landing zone in a Region where IAM Identity Center is available. Alternatively, you have the option to self-manage your account access configuration if you use an external identity provider in Canada West (Calgary).
The unavailability of Service Catalog in Canada West (Calgary) Region has no effect on other Regions that are supported by AWS Control Tower. These differences apply only if your home Region is Canada West (Calgary).
For a full list of Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower supports self-service quota adjustments
April 25, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports self-service quota adjustments through the Service Quotas console. For more information, see Request a quota increase.
AWS Control Tower releases the Controls Reference Guide
April 21, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower released the Controls Reference Guide, a new document where you can find detailed information about the controls that are specific to the AWS Control Tower environment. Previously, this material was included in the AWS Control Tower User Guide. The Controls Reference Guide covers controls in an expanded format. For more information, see the AWS Control Tower Controls Reference Guide.
AWS Control Tower updates and renames two proactive controls
March 26, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has renamed two proactive controls to align with updates to Amazon OpenSearch Service.
We updated the control names and the artifacts for these two controls to align
with the recent release from the Amazon OpenSearch Service, which now supports Transport Layer Security (TLS) version 1.3
To add support for TLSv1.3 for these controls, we have updated the artifact and name of the controls to reflect the intent of the control. They now evaluate the minimum TLS version of the service domain. To make this update in your environment, you must Disable and Enable the controls to deploy the latest artifact.
No other proactive controls are affected by this change. We recommend that you review these controls, to ensure that they meet your control objectives.
For questions or concerns, contact AWS Support
Deprecated controls no longer available
March 12, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has deprecated some controls. These controls are no longer available.
-
CT.ATHENA.PR.1
-
CT.CODEBUILD.PR.4
-
CT.AUTOSCALING.PR.3
-
SH.Athena.1
-
SH.Codebuild.5
-
SH.AutoScaling.4
-
SH.SNS.1
-
SH.SNS.2
AWS Control Tower supports tagging EnabledControl
resources in AWS CloudFormation
February 22, 2024
(No update required for AWS Control Tower landing zone.)
This AWS Control Tower release updates the behavior of the EnabledControl
resource, to align better with configurable controls, and to improve the ability to
manage your AWS Control Tower environment with automation. With this release, you can add
tags to configurable EnabledControl resources by means of AWS CloudFormation
templates. Previously, you could add tags through the AWS Control Tower console and APIs
only.
The AWS Control Tower GetEnabledControl, EnableControl, and
ListTagsforResource API operations are updated with this release,
because they rely on the EnabledControl resource functionality.
For more information, see Tagging
EnabledControl resources in AWS Control Tower and EnabledControl in the AWS CloudFormation User
Guide.
AWS Control Tower supports APIs for OU registration and configuration with baselines
February 14, 2024
(No update required for AWS Control Tower landing zone.)
These APIs support programmatic OU registration with the
EnableBaseline call. When you enable a baseline on an OU, member
accounts within the OU are enrolled into AWS Control Tower governance. Certain caveats may
apply. For example, OU registration through the AWS Control Tower console enables optional
controls as well as mandatory controls. When calling APIs, you may need to complete
an extra step so that optional controls are enabled.
An AWS Control Tower baseline embodies best practices for AWS Control Tower governance of an OU and member accounts. For example, when you enable a baseline on an OU, member accounts within the OU receive a defined group of resources, including AWS CloudTrail, AWS Config, IAM Identity Center, and required AWS IAM roles.
Specific baselines are compatible with specific AWS Control Tower landing zone versions. AWS Control Tower can apply the latest compatible baseline to your landing zone, when you change your landing zone settings. For more information, see Compatibility of OU baselines and landing zone versions.
This release includes four essential Types of baselines
-
AWSControlTowerBaseline -
AuditBaseline -
LogArchiveBaseline -
IdentityCenterBaseline
With the new APIs and defined baselines, you can register OUs and automate your OU
provisioning workflow. The APIs also can manage OUs that are already under AWS Control Tower
governance, so you can re-register OUs after landing zone updates. The APIs include
support for an AWS CloudFormation EnabledBaseline resource, which allows you to
manage your OUs with infrastructure as code (IaC).
Baseline APIs
-
EnableBaseline, UpdateEnabledBaseline, DisableBaseline: Take action on a baseline for an OU.
-
GetEnabledBaseline, ListEnabledBaselines: Discover configurations for your enabled baselines.
-
GetBaselineOperation: View the status of a particular baseline operation.
-
ResetEnabledBaseline: Remediate resource drift on an OU with an enabled baseline (including nested OUs and mandatory control drift). Also remediates drift for the landing-zone-level Region deny control
-
GetBaseline, ListBaselines: Discover content of AWS Control Tower baselines.
To learn more about these APIs, review Baselines in the AWS Control Tower User Guide, and the API Reference. The new APIs are available in AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.
