January 2024 - Present - AWS Control Tower

January 2024 - Present

Since January 2024, AWS Control Tower has released the following updates:

AWS Control Tower adds the ListLandingZoneOperations API

June 26, 2024

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added an API that allows you to retrieve a list of operations recently applied to your landing zone, and operations currently in progress. The API can return the history of landing zone operations and their identifiers for up to 90 days. For usage examples, see View the status of your landing zone operations.

For more information about the ListLandingZoneOperations API, see ListLandingZoneOperations in the AWS Control Tower API Reference.

AWS Control Tower supports up to 100 concurrent control operations

May 20, 2024

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports multiple control operations with higher concurrency. You can submit up to 100 AWS Control Tower control operations, across multiple organizational units (OUs), at the same time, from the console or with APIs. Up to ten (10) operations can run simultaneously, and the additional ones are queued. In this way, you can set up a more standardized configuration across multiple AWS accounts, without the operational burden of repetitive control operations.

To monitor the status of your ongoing and queued control operations, you can navigate to the new Recent operations page in the AWS Control Tower console, or you can call the new ListControlOperations API.

The AWS Control Tower library contains more than 500 controls, which map to different control objectives, frameworks, and services. For a specific control objective, such as Encrypt data at rest, you can enable multiple controls with a single control operation, to help you achieve the objective. This capability facilitates accelerated development, allows faster adoption of best practice controls, and mitigates operational complexities.

AWS Control Tower available in AWS Canada West (Calgary)

May 3, 2024

(No update required for AWS Control Tower landing zone.)

Starting today, you can activate AWS Control Tower in the Canada West (Calgary) Region. If you already have deployed AWS Control Tower and you want to extend its governance features to this Region, you can do so with the AWS Control Tower landing zone APIs. Or from the console, go to the Settings page in your AWS Control Tower dashboard, select your Regions, and then update your landing zone.

The Canada West (Calgary) Region does not support AWS Service Catalog. For this reason, some functionality of AWS Control Tower is different. The most notable functionality change is that Account Factory is not available. If you choose Canada West (Calgary) as your home Region, the procedures for updating accounts, setting up account automations, and any other processes that involve Service Catalog are different than in other Regions.

Provisioning accounts

To create and provision a new account in the Canada West (Calgary) Region, we recommend that you create an account outside of AWS Control Tower, and then enroll it into a registered OU. For more information, see Enroll an existing account and Steps to enroll an account.

The Service Catalog APIs are not available in Canada West (Calgary) Region. The example script shown in Automate account provisioning in AWS Control Tower by Service Catalog APIs is not workable.

Account Factory Customizations (AFC), Account Factory for Terraform (AFT), and Customizations for AWS Control Tower (CfCT) are not available in Canada West (Calgary), due to lack of other underlying dependencies for AWS Control Tower. If you extend governance to Canada West (Calgary) Region, you can continue to manage AFC blueprints in all Regions that AWS Control Tower supports, as long as Service Catalog is available in your home Region.


Proactive controls and controls for the AWS Security Hub Service-Managed Standard: AWS Control Tower are not available in Canada West (Calgary) Region. The preventive control CT.CLOUDFORMATION.PR.1 is not available in Canada West (Calgary) because it is required only for activating the hook-based, proactive controls. Certain detective controls based on AWS Config are not available. For details, see Control limitations.

Identity provider

IAM Identity Center is not available in Canada West (Calgary). The best practice recommendation is to set up your landing zone in a Region where IAM Identity Center is available. Alternatively, you have the option to self-manage your account access configuration if you use an external identity provider in Canada West (Calgary).

The unavailability of Service Catalog in Canada West (Calgary) Region has no effect on other Regions that are supported by AWS Control Tower. These differences apply only if your home Region is Canada West (Calgary).

For a full list of Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower supports self-service quota adjustments

April 25, 2024

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports self-service quota adjustments through the Service Quotas console. For more information, see Request a quota increase.

AWS Control Tower releases the Controls Reference Guide

April 21, 2024

(No update required for AWS Control Tower landing zone.)

AWS Control Tower released the Controls Reference Guide, a new document where you can find detailed information about the controls that are specific to the AWS Control Tower environment. Previously, this material was included in the AWS Control Tower User Guide. The Controls Reference Guide covers controls in an expanded format. For more information, see the AWS Control Tower Controls Reference Guide.

AWS Control Tower updates and renames two proactive controls

March 26, 2024

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has renamed two proactive controls to align with updates to Amazon OpenSearch Service.

We updated the control names and the artifacts for these two controls to align with the recent release from the Amazon OpenSearch Service, which now supports Transport Layer Security (TLS) version 1.3 among its transport security options for domain endpoint security.

To add support for TLSv1.3 for these controls, we have updated the artifact and name of the controls to reflect the intent of the control. They now evaluate the minimum TLS version of the service domain. To make this update in your environment, you must Disable and Enable the controls to deploy the latest artifact.

No other proactive controls are affected by this change. We recommend that you review these controls, to ensure that they meet your control objectives.

For questions or concerns, contact AWS Support.

Deprecated controls no longer available

March 12, 2024

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has deprecated some controls. These controls are no longer available.




  • SH.Athena.1

  • SH.Codebuild.5

  • SH.AutoScaling.4

  • SH.SNS.1

  • SH.SNS.2

AWS Control Tower supports tagging EnabledControl resources in AWS CloudFormation

February 22, 2024

(No update required for AWS Control Tower landing zone.)

This AWS Control Tower release updates the behavior of the EnabledControl resource, to align better with configurable controls, and to improve the ability to manage your AWS Control Tower environment with automation. With this release, you can add tags to configurable EnabledControl resources by means of AWS CloudFormation templates. Previously, you could add tags through the AWS Control Tower console and APIs only.

The AWS Control Tower GetEnabledControl, EnableControl, and ListTagsforResource API operations are updated with this release, because they rely on the EnabledControl resource functionality.

For more information, see Tagging EnabledControl resources in AWS Control Tower and EnabledControl in the AWS CloudFormation User Guide.

AWS Control Tower supports APIs for OU registration and configuration with baselines

February 14, 2024

(No update required for AWS Control Tower landing zone.)

These APIs support programmatic OU registration with the EnableBaseline call. When you enable a baseline on an OU, member accounts within the OU are enrolled into AWS Control Tower governance. Certain caveats may apply. For example, OU registration through the AWS Control Tower console enables optional controls as well as mandatory controls. When calling APIs, you may need to complete an extra step so that optional controls are enabled.

An AWS Control Tower baseline embodies best practices for AWS Control Tower governance of an OU and member accounts. For example, when you enable a baseline on an OU, member accounts within the OU receive a defined group of resources, including AWS CloudTrail, AWS Config, IAM Identity Center, and required AWS IAM roles.

Specific baselines are compatible with specific AWS Control Tower landing zone versions. AWS Control Tower can apply the latest compatible baseline to your landing zone, when you change your landing zone settings. For more information, see Compatibility of OU baselines and landing zone versions.

This release includes four essential Types of baselines
  • AWSControlTowerBaseline

  • AuditBaseline

  • LogArchiveBaseline

  • IdentityCenterBaseline

With the new APIs and defined baselines, you can register OUs and automate your OU provisioning workflow. The APIs also can manage OUs that are already under AWS Control Tower governance, so you can re-register OUs after landing zone updates. The APIs include support for an AWS CloudFormation EnabledBaseline resource, which allows you to manage your OUs with infrastructure as code (IaC).

Baseline APIs
  • EnableBaseline, UpdateEnabledBaseline, DisableBaseline: Take action on a baseline for an OU.

  • GetEnabledBaseline, ListEnabledBaselines: Discover configurations for your enabled baselines.

  • GetBaselineOperation: View the status of a particular baseline operation.

  • ResetEnabledBaseline: Remediate resource drift on an OU with an enabled baseline (including nested OUs and mandatory control drift). Also remediates drift for the landing-zone-level Region deny control

  • GetBaseline, ListBaselines: Discover content of AWS Control Tower baselines.

To learn more about these APIs, review Baselines in the AWS Control Tower User Guide, and the API Reference. The new APIs are available in AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.