Using Amazon S3 as the Configuration Source - Customizations for AWS Control Tower

Using Amazon S3 as the Configuration Source

When the Customizations for AWS Control Tower solution is deployed, an initial configuration file is deployed in an Amazon Simple Storage Service (Amazon S3) custom-control-tower-configuration-<account-ID>-<region> bucket.


If you choose to download and modify this file, zip the changes, save as a new file named, and upload it back to the same S3 bucket.

The S3 bucket is the default source of the pipeline. When default settings are used, uploading a configuration zip file without the underscore prefix in the file name to the S3 bucket will automatically execute the code pipeline configuration updates.

The zip file is protected using Server-Side Encryption (SSE) with AWS Key Management Service (AWS KMS), and denial of use of the KMS key. To access the file, use the following procedure to update the KMS Key Policy with the role(s) that should be granted access, either an administrator role, a user, or both.

  1. Navigate to the AWS Key Management Service console.

  2. In Customer Managed Keys, select CustomControlTowerKMSKey.

  3. Select the Key policy tab. Then, select Edit.

  4. In the Edit key policy page, find the Allow Use of the key section in the code, and add one of the following permissions:

    • To add an administration role:


    • To add a user::


  5. Select Save Changes.

  6. Navigate to the Amazon S3 console, find the S3 bucket containing the configuration zip file, and select download.

  7. Make the necessary configuration changes to the manifest file and template files. For information about customizing the manifest and template files, see Customizations for AWS Control Tower Developer Guide.

  8. Upload your changes:

    1. Zip the modified configuration files, and name the file:

    2. Upload the file to Amazon S3 using SSE with the AWS KMS master-key: CustomControlTowerKMSKey.