January 2024 - Present
Since January 2024, AWS Control Tower has released the following updates:
AWS Control Tower supports up to 100 concurrent control operations
May 20, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports multiple control operations with higher concurrency. You can submit up to 100 AWS Control Tower control operations, across multiple organizational units (OUs), at the same time, from the console or with APIs. Up to ten (10) operations can run simultaneously, and the additional ones are queued. In this way, you can set up a more standardized configuration across multiple AWS accounts, without the operational burden of repetitive control operations.
To monitor the status of
your ongoing and queued control operations, you can navigate to the new Recent
operations page in the AWS Control Tower console, or you can call the new
ListControlOperations API.
The AWS Control Tower library contains more than 500 controls, which map to different control objectives, frameworks, and services. For a specific control objective, such as Encrypt data at rest, you can enable multiple controls with a single control operation, to help you achieve the objective. This capability facilitates accelerated development, allows faster adoption of best practice controls, and mitigates operational complexities.
AWS Control Tower available in AWS Canada West (Calgary)
May 3, 2024
(No update required for AWS Control Tower landing zone.)
Starting today, you can activate AWS Control Tower in the Canada West (Calgary) Region. If you already have deployed AWS Control Tower and you want to extend its governance features to this Region, you can do so with the AWS Control Tower landing zone APIs. Or from the console, go to the Settings page in your AWS Control Tower dashboard, select your Regions, and then update your landing zone.
The Canada West (Calgary) Region does not support AWS Service Catalog. For this reason, some functionality of AWS Control Tower is different. The most notable functionality change is that Account Factory is not available. If you choose Canada West (Calgary) as your home Region, the procedures for updating accounts, setting up account automations, and any other processes that involve Service Catalog are different than in other Regions.
Provisioning accounts
To create and provision a new account in the Canada West (Calgary) Region, we recommend that you create an account outside of AWS Control Tower, and then enroll it into a registered OU. For more information, see Enroll an existing account and Steps to enroll an account.
The Service Catalog APIs are not available in Canada West (Calgary) Region. The example script shown in Automate account provisioning in AWS Control Tower by Service Catalog APIs is not workable.
Account Factory Customizations (AFC), Account Factory for Terraform (AFT), and Customizations for AWS Control Tower (CfCT) are not available in Canada West (Calgary), due to lack of other underlying dependencies for AWS Control Tower. If you extend governance to Canada West (Calgary) Region, you can continue to manage AFC blueprints in all Regions that AWS Control Tower supports, as long as Service Catalog is available in your home Region.
Controls
Proactive controls and controls for the AWS Security Hub Service-Managed
Standard: AWS Control Tower are not available in Canada West (Calgary) Region. The
preventive control CT.CLOUDFORMATION.PR.1 is not available in
Canada West (Calgary) because it is required only for activating the hook-based,
proactive controls. Certain detective controls based on AWS Config are not available. For
details, see Control limitations.
Identity provider
IAM Identity Center is not available in Canada West (Calgary). The best practice recommendation is to set up your landing zone in a Region where IAM Identity Center is available. Alternatively, you have the option to self-manage your account access configuration if you use an external identity provider in Canada West (Calgary).
The unavailability of Service Catalog in Canada West (Calgary) Region has no effect on other Regions that are supported by AWS Control Tower. These differences apply only if your home Region is Canada West (Calgary).
For a full list of Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower supports self-service quota adjustments
April 25, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports self-service quota adjustments through the Service Quotas console. For more information, see Request a quota increase.
AWS Control Tower releases the Controls Reference Guide
April 21, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower released the Controls Reference Guide, a new document where you can find detailed information about the controls that are specific to the AWS Control Tower environment. Previously, this material was included in the AWS Control Tower User Guide. The Controls Reference Guide covers controls in an expanded format. For more information, see the AWS Control Tower Controls Reference Guide.
AWS Control Tower updates and renames two proactive controls
March 26, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has renamed two proactive controls to align with updates to Amazon OpenSearch Service.
We updated the control names and the artifacts for these two controls to align with
the recent release from the Amazon OpenSearch Service, which now supports Transport Layer Security (TLS) version 1.3
To add support for TLSv1.3 for these controls, we have updated the artifact and name of the controls to reflect the intent of the control. They now evaluate the minimum TLS version of the service domain. To make this update in your environment, you must Disable and Enable the controls to deploy the latest artifact.
No other proactive controls are affected by this change. We recommend that you review these controls, to ensure that they meet your control objectives.
For questions or concerns, contact AWS Support
Deprecated controls no longer available
March 12, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has deprecated some controls. These controls are no longer available.
CT.ATHENA.PR.1
CT.CODEBUILD.PR.4
CT.AUTOSCALING.PR.3
SH.Athena.1
SH.Codebuild.5
SH.AutoScaling.4
SH.SNS.1
SH.SNS.2
AWS Control Tower supports tagging EnabledControl resources in
AWS CloudFormation
February 22, 2024
(No update required for AWS Control Tower landing zone.)
This AWS Control Tower release updates the behavior of the EnabledControl
resource, to align better with configurable controls, and to improve the ability to
manage your AWS Control Tower environment with automation. With this release, you can add
tags to configurable EnabledControl resources by means of AWS CloudFormation
templates. Previously, you could add tags through the AWS Control Tower console and APIs
only.
The AWS Control Tower GetEnabledControl, EnableControl, and ListTagsforResource API
operations are updated with this release, because they rely on the
EnabledControl resource functionality.
For more information, see Tagging EnabledControl resources in AWS Control Tower and EnabledControl in the AWS CloudFormation
User Guide.
AWS Control Tower supports APIs for OU registration and configuration with baselines
February 14, 2024
(No update required for AWS Control Tower landing zone.)
These APIs support programmatic OU registration with the
EnableBaseline call. When you enable a baseline on an OU, member
accounts within the OU are enrolled into AWS Control Tower governance. Certain caveats may apply.
For example, OU registration through the AWS Control Tower console enables optional controls as
well as mandatory controls. When calling APIs, you may need to complete an extra step so that optional
controls are enabled.
An AWS Control Tower baseline embodies best practices for AWS Control Tower governance of an OU and member accounts. For example, when you enable a baseline on an OU, member accounts within the OU receive a defined group of resources, including AWS CloudTrail, AWS Config, IAM Identity Center, and required AWS IAM roles.
Specific baselines are compatible with specific AWS Control Tower landing zone versions. AWS Control Tower can apply the latest compatible baseline to your landing zone, when you change your landing zone settings. For more information, see Compatibility of OU baselines and landing zone versions.
This release includes four essential Types of baselines
-
AWSControlTowerBaseline -
AuditBaseline -
LogArchiveBaseline -
IdentityCenterBaseline
With the new APIs and defined baselines, you can register OUs and automate your OU
provisioning workflow. The APIs also can manage OUs that are already under AWS Control Tower
governance, so you can re-register OUs after landing zone updates. The APIs include
support for an AWS CloudFormation EnabledBaseline resource, which allows you to
manage your OUs with infrastructure as code (IaC).
Baseline APIs
-
EnableBaseline, UpdateEnabledBaseline, DisableBaseline: Take action on a baseline for an OU.
-
GetEnabledBaseline, ListEnabledBaselines: Discover configurations for your enabled baselines.
-
GetBaselineOperation: View the status of a particular baseline operation.
-
ResetEnabledBaseline: Remediate resource drift on an OU with an enabled baseline (including nested OUs and mandatory control drift). Also remediates drift for the landing-zone-level Region deny control
-
GetBaseline, ListBaselines: Discover content of AWS Control Tower baselines.
To learn more about these APIs, review Baselines in the AWS Control Tower User Guide, and the API Reference. The new APIs are available in AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.
