January 2024 - Present
Since January 2024, AWS Control Tower has released the following updates:
-
AWS Control Tower adds preventive controls with declarative policies
AWS Control Tower improves hook management and adds proactive control Regions
AWS Control Tower launches managed resource control policies
-
AWS Control Tower available in AWS Asia Pacific (Malaysia) Region
-
Descriptive control API available, expanded access to Regions and controls
-
AWS Control Tower supports up to 100 concurrent control operations
-
AWS Control Tower updates and renames two proactive controls
-
AWS Control Tower supports tagging EnabledControl resources in AWS CloudFormation
-
AWS Control Tower supports APIs for OU registration and configuration with baselines
AWS Control Tower adds preventive controls with declarative policies
December 1, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports preventive controls that are implemented by declarative policies from AWS Organizations. Declarative policies are applied directly at the service level. This approach ensures that the specified configuration is enforced, even when new features or APIs are introduced by the service. For more information, see Controls implemented with declarative policies.
AWS Control Tower adds prescriptive backup plan options
November 25, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports prescriptive AWS Backup plans that allow you to incorporate a data backup and recovery workflow directly into your landing zone. The backup plan includes predefined rules, such as retention days, backup frequency, and the time window during which backup occurs. These rules define how to back up your AWS resources across all of your governed member accounts. When you apply a backup plan to the landing zone, AWS Control Tower ensures that the plan is consistent for all member accounts, and aligned with best practice recommendations from AWS Backup.
For more information, see AWS Backup and AWS Control Tower.
AWS Control Tower integrates AWS Config controls
November 21, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has integrated selected AWS Config controls, so that they can be viewed and managed by AWS Control Tower.
For more information, see Integrated AWS Config controls available in AWS Control Tower
AWS Control Tower improves hook management and adds proactive control Regions
November 20, 2024
(No update required for AWS Control Tower landing zone.)
With this release, hooks deployed for proactive controls are managed by AWS Control Tower. Also, proactive controls are available in the Canada West (Calgary) Region and Asia Pacific (Malaysia) Region.
Previously, AWS Control Tower relied upon AWS CloudFormation hooks for proactive control capabilities. As a result, deployed hooks were protected, so that only AWS Control Tower could modify them. With this release, the hooks deployed by proactive controls are managed by the AWS Control Tower service. You can author your own hooks, while you still benefit from the AWS Control Tower proactive controls.
If you currently deploy proactive controls, you can move to this improved hook functionality. To do so, reset the proactive controls
that are active on each OU, by calling the ResetEnabledControl
API, or
by updating the control from the console with the Reset
functionality. When you do this task, AWS Control Tower moves the proactive control hooks to
the new capability, in which hooks are managed by AWS Control Tower directly.
Also, you can remove the CT.CLOUDFORMATION.PR.1 control after you reset the proactive controls, if you do not use it for any other purpose. That control was needed to protect the AWS CloudFormation hooks.
AWS Control Tower launches managed resource control policies
November 15, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower offers a new type of preventive control, implemented with resource control policies (RCPs). These controls help you establish a data perimeter across your AWS Control Tower environment, to protect your resources from unintended access.
For example, you can enable RCP-based controls for Amazon S3, AWS Security Token Service, AWS Key Management Service, Amazon SQS, and AWS Secrets Manager services. An RCP-based control can enforce a requirement such as “Require that the organization's Amazon S3 resources are accessible only by IAM principals that belong to the organization, or by an AWS service,” regardless of the permissions granted on individual bucket policies.
You can configure the new RCP-based controls, and certain existing SCP-based preventive controls, to specify AWS IAM exemptions for principals and resources. If you don’t want a principal or a resource to be governed by the control, you can configure an exemption.
By combining preventive, proactive, and detective controls in AWS Control Tower, you can monitor whether your multi-account AWS environment is secure and managed in accordance with best practices, such as the AWS Foundational Security Best Practices standard.
These new RCP-based preventive controls are available in AWS Regions where
AWS Control Tower is available. For a full list of AWS Regions where AWS Control Tower is available,
see the AWS Region Table
AWS Control Tower reports control policy drift
November 15, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now reports control policy drift, for controls implemented with resource
control policies (RCPs), and controls that are part of the Security Hub
Service-managed Standard: AWS Control Tower. This type of drift can be
remediated through the new ResetEnabledControl
API. For more
information, see Types of governance
drift.
New ResetEnabledControl
API
November 14, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower announces a new API to help you manage control drift programmatically.
You can repair control drift and reset a control to its intended configuration. The
ResetEnabledControl
API works with optional AWS Control Tower controls,
including Strongly recommended and
Elective controls.
Control exceptions
-
Controls that are implemented with service control policies (SCPs) cannot be reset with this API. For more information, see
ResetEnabledControl
. -
Mandatory controls cannot be reset, because they protect AWS Control Tower resources.
-
The Region deny control for the landing zone must be reset through the console.
Control drift occurs when an AWS Control Tower control is modified outside AWS Control Tower, for example from the AWS Organizations console. Resolving drift helps to ensure your compliance with governance requirements.
Control catalog updates GetControl
API
November 8, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports an updated GetControl
API that includes two new
fields: Implementation
types for all controls, and
Parameters
for certain controls that can be configured.
The GetControl
API is part of the controlcatalog
namespace of AWS Control Tower.
For more information, see the GetControl
API in the Control Catalog API
Reference.
This release includes related changes that are shown in the AWS Control Tower console.
-
All existing AWS Security Hub controls have their
Implementation
parameter value changed from AWS Config rule to AWS Security Hub. The corresponding console help panel is modified to reflect this change. -
All existing Hook controls have their
Implementation
parameter value changed from AWS CloudFormation guard rule to AWS CloudFormation hook. The corresponding console help panel is modified to reflect this change.
AWS Control Tower AFT supports GitLab
October 23, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports GitLab and GitLab Self-managed as options for a third-party version control system (VCS) and configuration source for Account Factory for Terraform (AFT).
AWS Control Tower available in AWS Asia Pacific (Malaysia) Region
October 21, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower is available in the AWS Asia Pacific (Malaysia) Region.
For a full list of Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower supports up to 1000 accounts per OU
August 30, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has increased the maximum number of accounts allowed per organizational unit (OU) from 300 to 1000. Now, you can enroll up to 1000 AWS accounts into AWS Control Tower governance at once, without changing your OU structure. The OU registration and re-registration processes also are more efficient, requiring significantly less time to deploy AWS Control Tower baseline resources into your accounts.
Some account limitations still apply due to the limitations on the number of AWS CloudFormation
stack sets available. Specifically, the maximum number of accounts you can enroll in
an OU may differ, depending on the number of Regions you have under governance. To
learn more, visit Limitations based on underlying AWS services in the AWS Control Tower User Guide. For a full list of
AWS Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower adds landing zone version selection
August 15, 2024
(No update required for AWS Control Tower landing zone.)
If you are running AWS Control Tower landing zone version 3.1 and above, you can update or repair your landing zone in place on the current version, or you can upgrade to a version of your choice. Previously, any landing zone update or repair required an upgrade to the latest landing zone version.
With landing zone version selection, you have more flexibility to plan for version upgrades while you evaluate potential changes to your environment. You need not choose between repairing drift to stay in compliance, updating your landing zone configurations, or upgrading to the latest landing zone version. If you are running landing zone version 3.1 or above, you can choose to stay on the current version, or upgrade to a newer version, when you update or reset your landing zone configurations.
Descriptive control API available, expanded access to Regions and controls
August 6, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower added two new API operations that help you find more information about available controls, programmatically. This functionality makes it easier to deploy controls with automation.
-
The
GetControl
API returns details about an enabled control, including the target identifier, a control information summary, a list of target Regions, and the drift status. -
The
ListControls
API returns a paginated list of all available controls in the AWS Control Tower library of controls.
These APIs are reached through the AWS Control Catalog namespace. The AWS Control Catalog is a part of AWS Control Tower, which includes controls that help you manage other AWS services, not just AWS Control Tower. This expanded catalog consolidates controls from several AWS services, so that you can view AWS controls according to some common use cases, such as: security, cost, durability, and operations. For more information, see the Control Catalog API Reference.
Expanded Region availability
Beginning with this release, you can extend AWS Control Tower governance into AWS Regions where some of your (already) enabled controls are not available. Also, you can now enable certain controls in more Regions, even though the control is not supported in all of your governed Regions.
Previously, AWS Control Tower prevented you from extending governance into Regions or enabling controls, when it did not offer consistency across all of your enabled controls and governed Regions. With this release, you have more flexibility, as well as more responsibility to ensure that your configuration is correct for all enabled controls and all governed Regions. The AWS Control Tower control APIs and the control catalog APIs can help you get information about the AWS Regions in which you are protected by enabled controls, and the Regions in which additional controls may be deployed. Region and control information also is available in the AWS Control Tower console.
AWS Control Tower supports AFT and CfCT in opt-in Regions
July 18, 2024
(No update required for AWS Control Tower landing zone.)
Today, AWS Control Tower customization frameworks Account Factory for Terraform (AFT) and Customizations for AWS Control Tower (CfCT) are available in five additional AWS Regions: Asia Pacific (Hyderabad, Jakarta and Osaka), Israel (Tel Aviv), and Middle East (UAE).
Account Factory for Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower. Customizations for AWS Control Tower (CfCT) helps you customize your AWS Control Tower landing zone and accounts with AWS CloudFormation templates and service control policies (SCPs).
To learn more, visit the Account Factory for Terraform and Customizations for AWS Control Tower pages; in the AWS Control Tower User Guide. You also may wish to review the release notes on the AFT Github page and the CfCT Github page. AFT and CfCT are supported in all AWS Regions, with some exceptions. For specifics, see Region limitations.
AWS Control Tower adds the
ListLandingZoneOperations
API
June 26, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has added an API that allows you to retrieve a list of operations recently applied to your landing zone, and operations currently in progress. The API can return the history of landing zone operations and their identifiers for up to 90 days. For usage examples, see View the status of your landing zone operations.
For more information about the ListLandingZoneOperations
API, see
ListLandingZoneOperations
in the AWS Control Tower
API Reference.
AWS Control Tower supports up to 100 concurrent control operations
May 20, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports multiple control operations with higher concurrency. You can submit up to 100 AWS Control Tower control operations, across multiple organizational units (OUs), at the same time, from the console or with APIs. Up to ten (10) operations can run simultaneously, and the additional ones are queued. In this way, you can set up a more standardized configuration across multiple AWS accounts, without the operational burden of repetitive control operations.
To monitor the status of your ongoing and queued control operations, you can
navigate to the new Recent operations page in the AWS Control Tower
console, or you can call the new ListControlOperations
API.
The AWS Control Tower library contains more than 500 controls, which map to different control objectives, frameworks, and services. For a specific control objective, such as Encrypt data at rest, you can enable multiple controls with a single control operation, to help you achieve the objective. This capability facilitates accelerated development, allows faster adoption of best practice controls, and mitigates operational complexities.
AWS Control Tower available in AWS Canada West (Calgary)
May 3, 2024
(No update required for AWS Control Tower landing zone.)
Starting today, you can activate AWS Control Tower in the Canada West (Calgary) Region. If you already have deployed AWS Control Tower and you want to extend its governance features to this Region, you can do so with the AWS Control Tower landing zone APIs. Or from the console, go to the Settings page in your AWS Control Tower dashboard, select your Regions, and then update your landing zone.
The Canada West (Calgary) Region does not support AWS Service Catalog. For this reason, some functionality of AWS Control Tower is different. The most notable functionality change is that Account Factory is not available. If you choose Canada West (Calgary) as your home Region, the procedures for updating accounts, setting up account automations, and any other processes that involve Service Catalog are different than in other Regions.
Provisioning accounts
To create and provision a new account in the Canada West (Calgary) Region, we recommend that you create an account outside of AWS Control Tower, and then enroll it into a registered OU. For more information, see Enroll an existing account and Steps to enroll an account.
The Service Catalog APIs are not available in Canada West (Calgary) Region. The example script shown in Automate account provisioning in AWS Control Tower by Service Catalog APIs is not workable.
Account Factory Customizations (AFC), Account Factory for Terraform (AFT), and Customizations for AWS Control Tower (CfCT) are not available in Canada West (Calgary), due to lack of other underlying dependencies for AWS Control Tower. If you extend governance to Canada West (Calgary) Region, you can continue to manage AFC blueprints in all Regions that AWS Control Tower supports, as long as Service Catalog is available in your home Region.
Controls
Proactive controls and controls for the AWS Security Hub Service-Managed
Standard: AWS Control Tower are not available in Canada West (Calgary) Region. The
preventive control CT.CLOUDFORMATION.PR.1
is not available in
Canada West (Calgary) because it is required only for activating the hook-based,
proactive controls. Certain detective controls based on AWS Config are not available. For
details, see Control limitations.
Identity provider
IAM Identity Center is not available in Canada West (Calgary). The best practice recommendation is to set up your landing zone in a Region where IAM Identity Center is available. Alternatively, you have the option to self-manage your account access configuration if you use an external identity provider in Canada West (Calgary).
The unavailability of Service Catalog in Canada West (Calgary) Region has no effect on other Regions that are supported by AWS Control Tower. These differences apply only if your home Region is Canada West (Calgary).
For a full list of Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower supports self-service quota adjustments
April 25, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports self-service quota adjustments through the Service Quotas console. For more information, see Request a quota increase.
AWS Control Tower releases the Controls Reference Guide
April 21, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower released the Controls Reference Guide, a new document where you can find detailed information about the controls that are specific to the AWS Control Tower environment. Previously, this material was included in the AWS Control Tower User Guide. The Controls Reference Guide covers controls in an expanded format. For more information, see the AWS Control Tower Controls Reference Guide.
AWS Control Tower updates and renames two proactive controls
March 26, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has renamed two proactive controls to align with updates to Amazon OpenSearch Service.
We updated the control names and the artifacts for these two controls to align
with the recent release from the Amazon OpenSearch Service, which now supports Transport Layer Security (TLS) version 1.3
To add support for TLSv1.3 for these controls, we have updated the artifact and name of the controls to reflect the intent of the control. They now evaluate the minimum TLS version of the service domain. To make this update in your environment, you must Disable and Enable the controls to deploy the latest artifact.
No other proactive controls are affected by this change. We recommend that you review these controls, to ensure that they meet your control objectives.
For questions or concerns, contact AWS Support
Deprecated controls no longer available
March 12, 2024
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has deprecated some controls. These controls are no longer available.
-
CT.ATHENA.PR.1
-
CT.CODEBUILD.PR.4
-
CT.AUTOSCALING.PR.3
-
SH.Athena.1
-
SH.Codebuild.5
-
SH.AutoScaling.4
-
SH.SNS.1
-
SH.SNS.2
AWS Control Tower supports tagging EnabledControl
resources in AWS CloudFormation
February 22, 2024
(No update required for AWS Control Tower landing zone.)
This AWS Control Tower release updates the behavior of the EnabledControl
resource, to align better with configurable controls, and to improve the ability to
manage your AWS Control Tower environment with automation. With this release, you can add
tags to configurable EnabledControl
resources by means of AWS CloudFormation
templates. Previously, you could add tags through the AWS Control Tower console and APIs
only.
The AWS Control Tower GetEnabledControl
, EnableControl
, and
ListTagsforResource
API operations are updated with this release,
because they rely on the EnabledControl
resource functionality.
For more information, see Tagging
EnabledControl
resources in AWS Control Tower and EnabledControl
in the AWS CloudFormation User
Guide.
AWS Control Tower supports APIs for OU registration and configuration with baselines
February 14, 2024
(No update required for AWS Control Tower landing zone.)
These APIs support programmatic OU registration with the
EnableBaseline
call. When you enable a baseline on an OU, member
accounts within the OU are enrolled into AWS Control Tower governance. Certain caveats may
apply. For example, OU registration through the AWS Control Tower console enables optional
controls as well as mandatory controls. When calling APIs, you may need to complete
an extra step so that optional controls are enabled.
An AWS Control Tower baseline embodies best practices for AWS Control Tower governance of an OU and member accounts. For example, when you enable a baseline on an OU, member accounts within the OU receive a defined group of resources, including AWS CloudTrail, AWS Config, IAM Identity Center, and required AWS IAM roles.
Specific baselines are compatible with specific AWS Control Tower landing zone versions. AWS Control Tower can apply the latest compatible baseline to your landing zone, when you change your landing zone settings. For more information, see Compatibility of OU baselines and landing zone versions.
This release includes four essential Types of baselines
-
AWSControlTowerBaseline
-
AuditBaseline
-
LogArchiveBaseline
-
IdentityCenterBaseline
With the new APIs and defined baselines, you can register OUs and automate your OU
provisioning workflow. The APIs also can manage OUs that are already under AWS Control Tower
governance, so you can re-register OUs after landing zone updates. The APIs include
support for an AWS CloudFormation EnabledBaseline
resource, which allows you to
manage your OUs with infrastructure as code (IaC).
Baseline APIs
-
EnableBaseline, UpdateEnabledBaseline, DisableBaseline: Take action on a baseline for an OU.
-
GetEnabledBaseline, ListEnabledBaselines: Discover configurations for your enabled baselines.
-
GetBaselineOperation: View the status of a particular baseline operation.
-
ResetEnabledBaseline: Remediate resource drift on an OU with an enabled baseline (including nested OUs and mandatory control drift). Also remediates drift for the landing-zone-level Region deny control
-
GetBaseline, ListBaselines: Discover content of AWS Control Tower baselines.
To learn more about these APIs, review Baselines in the AWS Control Tower User Guide, and the API Reference. The new APIs are available in AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.