January - December 2023 - AWS Control Tower
Transition to new AWS Service Catalog External product type (phase 3)AWS Control Tower landing zone version 3.3Transition to new AWS Service Catalog External product type (phase 2)AWS Control Tower announces controls to assist digital sovereigntyAWS Control Tower landing zone APIsAWS Control Tower control tagging APIsAWS Control Tower available in AWS Asia Pacific (Melbourne)Transition to new AWS Service Catalog External product type (phase 1)AWS Control Tower adds new control APIAWS Control Tower adds new controlsAWS Control Tower detects trusted access driftAWS Control Tower available in four additional AWS RegionsAWS Control Tower available in AWS Israel (Tel Aviv)AWS Control Tower adds 28 new proactive controlsAWS Control Tower deprecates two controlsAWS Control Tower landing zone version 3.2AWS Control Tower adds email-to-ID mapping for IAM Identity CenterAWS Control Tower adds more AWS Security Hub controlsAWS Control Tower publishes metadata for AWS Security Hub controlsAWS Control Tower adds Account Factory Customization (AFC) for TerraformAWS Control Tower adds self-managed IAM identity centerAWS Control Tower adds mixed governance noteAWS Control Tower adds new proactive controlsAWS Control Tower updates Amazon EC2 controlsAWS Control Tower available in seven additional AWS RegionsAWS Control Tower Account Factory Customization (AFC) and request tracing generally availableAWS Control Tower landing zone version 3.1AWS Control Tower proactive controls generally available

January - December 2023

In 2023, AWS Control Tower released the following updates:

Transition to new AWS Service Catalog External product type (phase 3)

December 14, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower no longer supports Terraform Open Source as a product type (blueprint) when creating new AWS accounts. For more information and for instructions about updating your account blueprints, review Transition to the AWS Service Catalog External product type.

If you do not update your account blueprints to use the External product type, you can only update or terminate accounts that you provisioned using Terraform Open Source blueprints.

AWS Control Tower landing zone version 3.3

December 14, 2023

(Update required for AWS Control Tower landing zone to version 3.3. For information, see Update your landing zone).

Updates to S3 bucket policy in the AWS Control Tower Audit account

We have modified the Amazon S3 Audit bucket policy that AWS Control Tower deploys in accounts, so that an aws:SourceOrgID condition must be met for any write permissions. With this release, AWS services have access to your resources only when the request originates from your organization or organizational unit (OU).

You can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket.

We made this change to remediate a potential security vulnerability, without affecting the functionality of your existing workloads. To view the updated policy, see Amazon S3 bucket policy in the audit account.

For more information about the new condition key, see the IAM documentation and the IAM blog post entitled "Use scalable controls for AWS services accessing your resources."

Updates to the policy in the AWS Config SNS topic

We added the new aws:SourceOrgID condition key to the policy for the AWS Config SNS topic.To view the updated policy, see The AWS Config SNS topic policy.

Updates to the landing zone Region Deny control

  • Removed discovery-marketplace:. This action is covered by the aws-marketplace:* exemption.

  • Added quicksight:DescribeAccountSubscription

Updated AWS CloudFormation template

We updated the AWS CloudFormation template for the stack named BASELINE-CLOUDTRAIL-MASTER so that is does not show drift when AWS KMS encryption is not used.

Transition to new AWS Service Catalog External product type (phase 2)

December 7, 2023

(No update required for AWS Control Tower landing zone.)

HashiCorp updated their Terraform licensing. As a result, AWS Service Catalog changed support for Terraform Open Source products and provisioned products to a new product type, called External.

To avoid disruption to existing workloads and AWS resources in your accounts, follow the AWS Control Tower transition steps in Transition to the AWS Service Catalog External product type by December 14, 2023.

AWS Control Tower announces controls to assist digital sovereignty

November 27, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower announces 65 new AWS-managed controls, to help you meet your digital sovereignty requirements. With this release, you can discover these controls under a new digital sovereignty group in the AWS Control Tower console. You can use these controls to help prevent actions and detect resource changes regarding data residency, granular access restriction, encryption, and resiliency capabilities. These controls are designed to make it simpler for you to address requirements at scale. For more information about digital sovereignty controls, see Controls that enhance digital sovereignty protection.

For example, you can choose to enable controls that help enforce your encryption and resiliency strategies, such as Require an AWS AppSync API cache to have encryption in transit enabled or Require an AWS Network Firewall to be deployed across multiple Availability Zones. You can also customize the AWS Control Tower Region deny control to apply regional restrictions that best fit your unique business needs.

This release brings well-enhanced AWS Control Tower Region deny capabilities. You can apply a new, parameterized Region deny control at the OU level, for increased granularity of governance, while maintaining additional Region governance at the landing zone level. This customizable Region deny control helps you to apply regional restrictions that best fit your unique business needs. For more information about the new, configurable Region deny control, see Region deny control applied to the OU.

As a new tool to the new Region deny enhancement, this release includes a new API, UpdateEnabledControl, which allows you to reset your enabled controls to the default settings. This API is especially helpful in use cases where you need to resolve drift quickly, or to guarantee programmatically that a control is not in a state of drift. For more information about the new API, see the AWS Control Tower API Reference

New proactive controls

  • CT.APIGATEWAY.PR.6: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2

  • CT.APPSYNC.PR.2: Require an AWS AppSync GraphQL API to be configured with private visibility

  • CT.APPSYNC.PR.3: Require that an AWS AppSync GraphQL API is not authenticated with API keys

  • CT.APPSYNC.PR.4: Require an AWS AppSync GraphQL API cache to have encryption in transit enabled.

  • CT.APPSYNC.PR.5: Require an AWS AppSync GraphQL API cache to have encryption at rest enabled.

  • CT.AUTOSCALING.PR.9: Require an Amazon EBS volume configured through an Amazon EC2 Auto Scaling launch configuration to encrypt data at rest

  • CT.AUTOSCALING.PR.10: Require an Amazon EC2 Auto Scaling group to use only AWS Nitro instance types when overriding a launch template

  • CT.AUTOSCALING.PR.11: Require only AWS Nitro instance types that support network traffic encryption between instances to be added to an Amazon EC2 Auto Scaling group, when overriding a launch template

  • CT.DAX.PR.3: Require an DynamoDB Accelerator cluster to encrypt data in transit with Transport Layer Security (TLS)

  • CT.DMS.PR.2: Require an AWS Database Migration Service (DMS) Endpoint to encrypt connections for source and target endpoints

  • CT.EC2.PR.15: Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the AWS::EC2::LaunchTemplate resource type

  • CT.EC2.PR.16: Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the AWS::EC2::Instance resource type

  • CT.EC2.PR.17: Require an Amazon EC2 dedicated host to use an AWS Nitro instance type

  • CT.EC2.PR.18: Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types

  • CT.EC2.PR.19: Require an Amazon EC2 instance to use a nitro instance type that supports encryption in-transit between instances when created using the AWS::EC2::Instance resource type

  • CT.EC2.PR.20: Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types that support encryption in transit between instances

  • CT.ELASTICACHE.PR.8: Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activated

  • CT.MQ.PR.1: Require an Amazon MQ ActiveMQ broker to use use active/standby deployment mode for high availability

  • CT.MQ.PR.2: Require an Amazon MQ Rabbit MQ broker to use Multi-AZ cluster mode for high availability

  • CT.MSK.PR.1: Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to enforce encryption in transit between cluster broker nodes

  • CT.MSK.PR.2: Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to be configured with PublicAccess disabled

  • CT.NETWORK-FIREWALL.PR.5: Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones

  • CT.RDS.PR.26: Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections

  • CT.RDS.PR.27: Require an Amazon RDS DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types

  • CT.RDS.PR.28: Require an Amazon RDS DB parameter group to require Transport Layer Security (TLS) connections for supported engine types

  • CT.RDS.PR.29: Require an Amazon RDS cluster not be configured to be publicly accessible by means of the 'PubliclyAccessible' property

  • CT.RDS.PR.30: Require that an Amazon RDS database instance has encryption at rest configured to use a KMS key that you specify for supported engine types

  • CT.S3.PR.12: Require an Amazon S3 access point to have a Block Public Access (BPA) configuration with all options set to true

New preventive controls

  • CT.APPSYNC.PV.1 Require that an AWS AppSync GraphQL API is configured with private visibility

  • CT.EC2.PV.1 Require an Amazon EBS snapshot to be created from an encrypted EC2 volume

  • CT.EC2.PV.2 Require that an attached Amazon EBS volume is configured to encrypt data at rest

  • CT.EC2.PV.3 Require that an Amazon EBS snapshot cannot be publicly restorable

  • CT.EC2.PV.4 Require that Amazon EBS direct APIs are not called

  • CT.EC2.PV.5 Disallow the use of Amazon EC2 VM import and export

  • CT.EC2.PV.6 Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions

  • CT.KMS.PV.1 Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services

  • CT.KMS.PV.2 Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits

  • CT.KMS.PV.3 Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled

  • CT.KMS.PV.4 Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM

  • CT.KMS.PV.5 Require that an AWS KMS customer-managed key (CMK) is configured with imported key material

  • CT.KMS.PV.6 Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS)

  • CT.LAMBDA.PV.1 Require an AWS Lambda function URL to use AWS IAM-based authentication

  • CT.LAMBDA.PV.2 Require an AWS Lambda function URL to be configured for access only by principals within your AWS account

AWS Control Tower landing zone APIs

November 26, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now offers APIs that help you manage your landing zone programmatically. These APIs allow you to create, update, and reset your landing zone, as well as retrieve information about your landing zone configuration and operations. For more information, see Landing zone API examples.

The landing zone APIs are available in all AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower control tagging APIs

November 10, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now offers APIs that help you tag your enabled controls programmatically. These APIs allow you to add, remove, and list tags for your enabled controls. For more information, see Tagging AWS Control Tower resources.

The control tagging APIs are available in all AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower available in AWS Asia Pacific (Melbourne)

November 3, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in the Asia Pacific (Melbourne). For a full list of Regions where AWS Control Tower is available, see the AWS Region Table.

Transition to new AWS Service Catalog External product type (phase 1)

October 31, 2023

(No update required for AWS Control Tower landing zone.)

HashiCorp updated their Terraform licensing. As a result, AWS Service Catalog changed support for Terraform Open Source products and provisioned products to a new product type, called External.

To avoid disruption to existing workloads and AWS resources in your accounts, follow the AWS Control Tower transition steps in Transition to the AWS Service Catalog External product type by December 14, 2023.

AWS Control Tower adds new control API

October 27, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now offers a new API, UpdateEnabledControl, which allows you to update your enabled controls. This API is especially helpful in use cases where you need to resolve drift quickly, or to guarantee programmatically that a control is not in a state of drift. For more information about the new API, see the AWS Control Tower API Reference.

The UpdateEnabledControl API is available in all AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds new controls

October 20, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added 22 new controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see Control categories.

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower detects trusted access drift

October 13, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now detects and reports drift for trusted access settings. Trusted access settings allow AWS Control Tower to interact with other AWS services on your behalf. If these settings are changed outside of AWS Control Tower, AWS Control Tower will detect the drift and report it in the AWS Control Tower console. For more information about trusted access drift, see Types of governance drift.

Trusted access drift detection is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower available in four additional AWS Regions

September 29, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in four additional AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Europe (Spain), and Europe (Zurich). For a full list of Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower available in AWS Israel (Tel Aviv)

August 1, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in the Israel (Tel Aviv). For a full list of Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds 28 new proactive controls

July 27, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added 28 new proactive controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see Control categories.

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower deprecates two controls

July 27, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has deprecated two controls: CT.CLOUDFORMATION.PR.2 and CT.CLOUDFORMATION.PR.3. These controls are no longer available in the AWS Control Tower library of controls. For more information about the deprecated controls, see Control categories.

The deprecated controls are no longer available in any AWS Region.

AWS Control Tower landing zone version 3.2

July 20, 2023

(Update required for AWS Control Tower landing zone to version 3.2. For information, see Update your landing zone).

AWS Control Tower has released landing zone version 3.2. This version includes updates to the AWS Control Tower landing zone that improve the security and reliability of your AWS Control Tower environment. For more information about the landing zone version 3.2, see Release notes.

Landing zone version 3.2 is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds email-to-ID mapping for IAM Identity Center

July 13, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports email-to-ID mapping for IAM Identity Center. This feature allows you to map email addresses to IAM Identity Center user IDs, which makes it easier to manage user access to your AWS Control Tower environment. For more information about email-to-ID mapping, see Integration with IAM Identity Center.

Email-to-ID mapping is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds more AWS Security Hub controls

June 29, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added more AWS Security Hub controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see Control categories.

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower publishes metadata for AWS Security Hub controls

June 22, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now publishes metadata for AWS Security Hub controls. This metadata includes information about the control, such as the control ID, control title, and control description. For more information about the metadata, see Control metadata.

Control metadata is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds Account Factory Customization (AFC) for Terraform

June 15, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports Account Factory Customization (AFC) for Terraform. This feature allows you to use Terraform to customize your AWS Control Tower accounts. For more information about AFC for Terraform, see Account Factory Customization for Terraform.

AFC for Terraform is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds self-managed IAM identity center

June 8, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports self-managed IAM identity center. This feature allows you to use your own identity provider with AWS Control Tower. For more information about self-managed IAM identity center, see IAM identity center.

Self-managed IAM identity center is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds mixed governance note

June 1, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now includes a note about mixed governance. This note explains how AWS Control Tower works with other AWS services to provide governance for your AWS resources. For more information about mixed governance, see Mixed governance.

The mixed governance note is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower adds new proactive controls

May 25, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added new proactive controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see Control categories.

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower updates Amazon EC2 controls

May 18, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has updated the Amazon EC2 controls in the AWS Control Tower library of controls. These updates improve the security and reliability of your AWS Control Tower environment. For more information about the updated controls, see Control categories.

The updated controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower available in seven additional AWS Regions

May 11, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in seven additional AWS Regions: Asia Pacific (Osaka), Canada (Central), Europe (Milan), Europe (Stockholm), Middle East (Bahrain), Middle East (UAE), and South America (São Paulo). For a full list of Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower Account Factory Customization (AFC) and request tracing generally available

April 27, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower Account Factory Customization (AFC) and request tracing are now generally available. AFC allows you to customize your AWS Control Tower accounts, and request tracing allows you to track the status of your AWS Control Tower requests. For more information about AFC and request tracing, see Account Factory Customization and Request tracing.

AFC and request tracing are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower landing zone version 3.1

April 20, 2023

(Update required for AWS Control Tower landing zone to version 3.1. For information, see Update your landing zone).

AWS Control Tower has released landing zone version 3.1. This version includes updates to the AWS Control Tower landing zone that improve the security and reliability of your AWS Control Tower environment. For more information about the landing zone version 3.1, see Release notes.

Landing zone version 3.1 is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.

AWS Control Tower proactive controls generally available

April 13, 2023

(No update required for AWS Control Tower landing zone.)

AWS Control Tower proactive controls are now generally available. Proactive controls help you enforce best practices for your AWS resources. For more information about proactive controls, see Proactive controls.

Proactive controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.