January 2025 - Present
Since January 2025, AWS Control Tower has released the following updates:
Account Factory for Terraform version 1.15.0 available
July 28, 2025
(No update required for AWS Control Tower landing zone.)
Version 1.15.0 of AWS Control Tower Account Factory for Terraform (AFT) is available. For more information, see the AFT GitHub repository
Updated controls with Nitro instance types
July 24, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower has updated the eight proactive controls in the Control Catalog (formerly called the Control Library) that enforce the Amazon EC2 intance types. This update allows you to instantiate some new Nitro instance types, and it removes some deprecated u-series instance types.
Updated controls
New instance types available
c8gdc8gni7im8gdp6-b200r8gd
Instance types removed
u-12tb1u-18tb1u-24tb1u-9tb1
The updated controls are available in all AWS Regions where AWS Control Tower is available.
For a list of Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower available in Asia Pacific (Taipei) Region
July 23, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower is now available in the Asia Pacific (Taipei) Region:
For a full list of Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower supports PrivateLink
June 30, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports AWS PrivateLink
Support for additional industry frameworks, updated metadata
June 12, 2025
(No update required for AWS Control Tower landing zone.)
With this release, AWS Control Tower expands to include support for 10 industry frameworks. For a list of frameworks, see Frameworks supported.
For example, you can get started by navigating to the Control Catalog page in the
AWS Control Tower console and searching for a framework, such as
PCI-DSS-v4.0, to view all controls related to that framework.
Or you can examine controls and frameworks programmatically, by calling the new
ListControlMappings API.
The metadata definitions associated with controls are changing, to better support these additional industry framewoks. The changes to metadata can affect the way you evaluate controls for enablement. For example, the values for NIST, PCI, and CIS metadata may have changed. We recommend that you review the mappings for your enabled controls, on the Control details page in the console.
In the console and the API, we introduced 3 new metadata fields. Collectively, these fields describe a hierarchy that helps you understand how to categorize and enable controls. The fields are: Domain, Objective, and Common control. We have redefined our control objectives to align better with the broader scope of industry frameworks that are available. For more information about this hierarchy, see Ontology overview.
-
These metadata changes are reflected in the AWS Control Tower console, and the console experience is consistent across the AWS Control Tower and AWS Config consoles.
-
To view control information in the AWS Control Tower console, you must add additional
controlcatalogpermissions to your IAM policies. For more information, see Permissions required to use the AWS Control Tower console. -
Each control now has a new field called
GovernedResources, which shows the resource types that the control governs. In some cases, this field shows the service prefix for the resources, and in other instances, it can be blank. For more information, seeGetControlandListControls.
With this release, we have renamed the Controls Library to Control Catalog, for consistency with other terminology.
Service-linked AWS Config controls
June 12, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower announces support for the AWS Control Tower detective controls to be deployed as service-linked AWS Config rules.
With this release, AWS Control Tower now deploys service-linked Config rules directly in your enrolled accounts, replacing the previous method of deployment with AWS CloudFormation stack sets. This change significantly improves deployment speed. Also, these service-linked Config rules help to ensure consistent governance of your resources, because they prevent unintentional configuration drift that could be caused by manual changes to AWS CloudFormation stack sets or Config rules.
Going forward, all AWS Control Tower controls implemented by AWS Config rules will be deployed with this mechanism, which directly calls the AWS Config APIs.
Important
Before you adopt service-linked Config rules, review the existing customizations,
such as remediations, that you have made to Config rules outside of AWS Control Tower,
because these customizations will be removed during the transition. The AWS Config APIs do
not support adding remediation configurations for service-linked AWS Config rules. See PutRemediationConfigurations.
Details and action required
-
When you Update or Reset your landing zone, AWS Control Tower updates the Mandatory controls that govern the Security OU. To complete the upgrade, you also must Reset each of the detective controls that are implemeneted with AWS Config rules, or Re-register the OU.
-
The full scope of this upgrade applies to you if your AWS Control Tower landing zone version is 3.2 or above. When you apply this update, your existing AWS Config rules are changed to become service-managed Config rules, along with the new deployment method.
-
If your landing zone is version 3.1 or below, any new Config rules will be deployed with the new method, no longer with Stack Sets. Your existing Config rules are NOT updated to become service-managed Config rules. They will remain of the standard type.
-
You can identify service-linked config rules by their resource ARN, which has the form:
arn:aws:config:*:*:config-rule/aws-service-rule/controltower.*/*
The intended functionality of controls, when implemented by service-linked AWS Config rules, has not changed. The detective, service-linked Config rules in AWS Control Tower can identify non-compliant resources within your accounts, such as policy violations, and provide alerts through the dashboard. To maintain consistency, prevent configuration drift, and simplify your overall user experience, these rules now can be modified only through AWS Control Tower.
As part of this release, we added four new permissions to the policy for the
service-linked role (SLR) AWSServiceRoleForAWSControlTower, so that you can enable
and disable service-linked AWS Config rules for your enrolled accounts.
config:DescribeConfigRules config:TagResource config:PutConfigRule config:DeleteConfigRule
Enabled controls console view gives centralized visibility
May 21, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower added a new page in the console that displays all of your enabled controls in a single, centralized view. Previously, controls were viewable only with the account or OU on which they were enabled. The consolidated view makes it easier for you to identify gaps in your control governance, at scale.
On the Enabled controls page, you can filter the controls according to behavior: Preventive, Detective, or Proactive. You also can filter according to control implementation, such as SCP. For each control, you can see how many OUs have this control enabled.
To see the Enabled controls page, navigate to the Controls section in the AWS Control Tower console.
Account Factory for Terraform (AFT) supports new configurations at deployment
May 13, 2025
(No update required for AWS Control Tower landing zone.)
The AWS Control Tower account customization framework, Account Factory for Terraform (AFT), now supports three additional optional configurations at the time of deployment. You can deploy AFT into a custom virtual private cloud (VPC), specify the Terraform project name for your AFT deployment, and tag the resources that AFT creates.
For more information, see Deploy AWS Control Tower Account Factory for Terraform (AFT).
AWS Control Tower introduces account-level reporting for baseline APIs
May 12, 2025
(No update required for AWS Control Tower landing zone.)
You can now view drift and account enrollment statuses programmatically for your governed
accounts, by calling the baseline APIs. With this capability, you can identify
when account and OU baseline configurations are drifted, or out
of sync. To view the drift status programmatically, you can call the
ListEnabledBaselines API for your
enabled baselines. To view statuses for individual accounts programmatically with the
ListEnabledBaselines API, use the includeChildren flag.
You can filter by these statuses, and see only the accounts and OUs that require
your attention.
The AWSControlTowerBaseline sets up best practice configurations,
controls, and resources that are required for governance. When you enable this
baseline on an organizational unit (OU), member accounts within the OU are enrolled
into AWS Control Tower automatically. The AWS Control Tower baseline APIs include AWS CloudFormation support, which allows you to build
automations that manage your OUs and accounts with infrastructure as code
(IaC).
To learn more about these APIs, review Baselines
in the AWS Control Tower User Guide. The baseline APIs and newly launched reporting
capabilities for drift and account enrollment status are available in all AWS Regions where AWS Control Tower is available. For a
list of AWS Regions where AWS Control Tower is available, see the AWS Region Table
AWS Control Tower available in AWS Asia Pacific (Thailand) and Mexico (Central) Regions
May 9, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower is now available in the following AWS Regions:
Asia Pacific (Thailand)
Mexico (Central)
For a full list of Regions where AWS Control Tower is available, see the AWS Region Table
Additional AWS Config controls available
April 11, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports an additional 223 managed AWS Config rules for various use cases, such as security, cost, durability, and operations. With this launch, you can now use AWS Control Tower to search and discover the AWS Config rules that you need to govern your multi-account environment; then enable and manage the controls directly from AWS Control Tower.
To get started from the AWS Control Tower console, go to the Control Catalog and search for controls with the implementation filter AWS Config. You can enable the controls directly from the AWS Control Tower console.
For more details, see Integrated AWS Config controls available in AWS Control Tower.
With this launch, we've updated the ListControls and
GetControl APIs to support three new fields:
CreateTime, Severity, and
Implementation, which you can use when searching for a
control in Control Catalog. For example, you can now programmatically find
high-severity AWS Config rules that were created after your last evaluation.
You can search for the new AWS Config rules in all AWS Regions where AWS Control Tower is available. To deploy a rule, refer to the list of supported AWS Regions for that rule, to see where it can be enabled.
Deregister and delete actions for OUs
April 8, 2025
(No update required for AWS Control Tower landing zone.)
AWS Control Tower now supports separate console actions to deregister an OU and to delete an OU. You must deregister the OU before you delete it. You can remove an OU from AWS Control Tower by deregistering it.
For more information, see Remove an OU.
Control Catalog supports IPv6 addresses
April 2, 2025
(No update required for AWS Control Tower landing zone.)
The AWS Control Tower Control Catalog API now supports Internet Protocol version 6 (IPv6) addresses through
our new dual-stack endpoints. The existing Control Catalog endpoints supporting IPv4
remains available for backwards compatibility. The new dual-stack domains are
available either from the internet or from within an Amazon Virtual Private Cloud (VPC)
using AWS PrivateLink
