Managed policies for AWS Control Tower

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

Change	Description	Date
AWSControlTowerAccountServiceRolePolicy – A new policy	AWS Control Tower added a new service-linked role that allows AWS Control Tower to create and manage event rules, and based on those rules, to manage drift detection for controls that are related to Security Hub. This change is needed so that customers can view drifted resources in the console, when those resources are related to Security Hub controls that are part of the Security Hub Service-managed Standard: AWS Control Tower.	May 22, 2023
AWSControlTowerServiceRolePolicy – Update to an existing policy	AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the `EnableRegion`, `ListRegions`, and `GetRegionOptStatus` APIs implemented by the AWS Account Management service, to make the opt-in AWS Regions available for customer accounts in the landing zone (Management account, Log archive account, Audit account, OU member accounts). This change is needed so that customers can have the option to expand Region governance by AWS Control Tower into the opt-in Regions.	April 6, 2023
AWSControlTowerServiceRolePolicy – Update to an existing policy	AWS Control Tower added new permissions that allow AWS Control Tower to assume the `AWSControlTowerBlueprintAccess` role in the blueprint (hub) account, which is a dedicated account in an organization, containing pre-defined blueprints stored in one or more Service Catalog Products. AWS Control Tower assumes the `AWSControlTowerBlueprintAccess` role to perform three tasks: create a Service Catalog Portfolio, add the requested blueprint Product, and share the Portfolio to a requested member account at account provisioning time. This change is needed so that customers can provision customized accounts through AWS Control Tower Account Factory.	October 28, 2022
AWSControlTowerServiceRolePolicy – Update to an existing policy	AWS Control Tower added new permissions that allow customers to set up organization-level AWS CloudTrail trails, starting in landing zone version 3.0. The organization-based CloudTrail feature requires customers to have trusted access enabled for the CloudTrail service, and the IAM user or role must have permission to create an organization-level trail in the management account.	June 20, 2022
AWSControlTowerServiceRolePolicy – Update to an existing policy	AWS Control Tower added new permissions that allow customers to use KMS key encryption. The KMS feature allows customers to provide their own KMS key to encrypt their CloudTrail logs. Customers also can change the KMS key during landing zone update or repair. When updating the KMS key, AWS CloudFormation needs permissions to call the AWS CloudTrail `PutEventSelector` API. The change to the policy is to allow the AWSControlTowerAdmin role to call the AWS CloudTrail `PutEventSelector` API.	July 28, 2021
AWS Control Tower started tracking changes	AWS Control Tower started tracking changes for its AWS managed policies.	May 27, 2021

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Permissions Required to Use the AWS Control Tower Console

Security