# Configuration update management in AWS Control Tower
<a name="configuration-updates"></a>

It is the responsibility of the members of your central cloud administrators' team to keep your landing zone updated. Updating your landing zone ensures that AWS Control Tower is patched and updated. In addition, to protect your landing zone from potential compliance issues, the members of the central cloud administrator team should resolve drift issues as soon as they're detected and reported.

**Note**  
 The AWS Control Tower console indicates when your landing zone needs to be updated. If you don't see an option to update, your landing zone is already up to date.

The following table contains a list of AWS Control Tower landing zone update releases, with links to descriptions of each release.


| **Version** | Release date | Description | 
| --- | --- | --- | 
| 4.0 | 11-17-2025 | [Landing zone version 4.0](2025-all.md#lz-40) | 
| 3.3 | 12-12-2023 | [Landing zone version 3.3](2023-all.md#lz-3-3) | 
| 3.2 | 6-09-2023 | [Landing zone version 3.2](2023-all.md#lz-3-2) | 
| 3.1 | 2-09-2023 | [Landing zone version 3.1](2023-all.md#lz-3-1) | 
| 3.0 | 7-26-2022 | [Landing zone version 3.0](2022-all.md#version-3.0) | 
| 2.9 | 4-22-2022 | [Landing zone version 2.9](2022-all.md#version-2.9) | 
| 2.8 | 2-10-2022 | [Landing zone version 2.8](2022-all.md#version-2.8) | 
| 2.7 | 4-8-2021 | [Landing zone version 2.7](https://docs.aws.amazon.com//controltower/latest/userguide/2021-all.html#version-2.7) | 
| 2.6 | 12-29-2020 | [Landing zone version 2.6](https://docs.aws.amazon.com//controltower/latest/userguide/release-notes-2020.html#config-aggregator-12-2020) | 
| 2.5 | 11-18-2020 | [Landing zone version 2.5](https://docs.aws.amazon.com//controltower/latest/userguide/release-notes-2020.html#region-expansion-11-19-20)  | 
| 2.4 | None | None | 
| 2.3 | 3-5-2020 | [Landing zone version 2.3](https://docs.aws.amazon.com//controltower/latest/userguide/release-notes-2020.html#Available_in_Sydney) | 
| 2.2 | 11-13-19 | [Landing zone version 2.2](https://docs.aws.amazon.com//controltower/latest/userguide/release-notes-2019.html#Version-2-2)  | 
| 2.1 | 6-24-19 | [Landing zone version 2.1](https://docs.aws.amazon.com//controltower/latest/userguide/release-notes-2019.html#Version-2-1) | 

Each time you update your landing zone, you have the opportunity to modify your landing zone settings.

**Benefits of updating**
+ You can change your governed Regions
+ You can change your log retention policy
+ You can add or remove the Region deny control
+ You can apply AWS KMS encryption keys
+ You can activate or deactivate your organization-level CloudTrail trail.
+ You can resolve [landing zone drift](governance-drift.md)

When you update your landing zone, you receive the latest features for AWS Control Tower, automatically. View your current landing zone version on the **Landing zone settings** page.

If an update fails, AWS Control Tower does not roll back to a previous landing zone version. You may find your landing zone in an indeterminate state. If so, contact AWS support. For more information about troubleshooting a failure to update, see [Unable to Update Landing Zone](troubleshooting.md#unable-to-update-landing-zone).

You have the opportunity to clear unused AWS Identity center (formerly called AWS SSO) mappings when you update your landing zone. For more information, see [Field Notes: Clear Unused IAM Identity Center Mappings Automatically During AWS Control Tower Upgrades](https://aws.amazon.com//blogs/architecture/field-notes-clear-unused-aws-sso-mappings-automatically-during-aws-control-tower-upgrades/).

**Prerequisite for Update and Reset – turn off Requester Pays**  
Before you update or reset your landing zone, be sure that the Amazon S3 logging bucket for the Log Archive account does not have the **Requester Pays** feature enabled. You must turn off that feature before you begin the **Update** or **Reset** process. When AWS Control Tower sets up your logging bucket, this feature is not enabled. Therefore, only the customers who have subesquently activated the Requester Pays feature must turn it off. For more information, see [Amazon S3 bucket policy for CloudTrail](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html) and [Using Requester Pays buckets](https://docs.aws.amazon.com//AmazonS3/latest/userguide/RequesterPaysBuckets.html).

# About landing zone updates
<a name="about-updates"></a>

Updates are required to correct governance drift, or to move to a new version of AWS Control Tower. To perform a complete update of AWS Control Tower, you must update your landing zone first and then update the enrolled accounts individually. You may need to perform three types of updates at different times.
+ **A landing zone update:** Most often this type of update is performed by choosing **Update** on the **Landing zone settings** page. You may need to perform a landing zone update to resolve certain types of drift, and you can choose **Reset** when necessary.
+ **An update of one or more individual accounts:** You must update accounts if the associated information changes, or if certain types of drift have occurred. If an account requires an update, the account's status will show **Update available** on the **Accounts** page.

  To update a single account, navigate to the account detail page and select **Update account**. Accounts also may be updated by a manual process, by choosing **Re-register OU**, or with an automated scripting approach, described in a later section of this page.
+ **A full update:** A full update includes an update of your landing zone, followed by an update of all the enrolled accounts in your registered OUs. Full updates are required with a new release of AWS Control Tower such as 3.0, 3.2, and so forth. To make the full update process easier, for OUs with 1000 or fewer accounts, you can choose **Re-register OU** to update all of the accounts within that OU, and repeat the **Re-register OU** command for each OU.

For more information about landing zone updates, see [Best practices for landing zone updates](https://docs.aws.amazon.com//controltower/latest/userguide/lz-update-best-practices.html).

**Note**  
After completing a landing zone update, you cannot undo the update or downgrade to a previous version. 

# Update your landing zone
<a name="update-controltower"></a>

The easiest way to update your AWS Control Tower landing zone is through the **Landing zone settings** page, which you can reach by choosing **Landing zone settings** in the left navigation of the AWS Control Tower dashboard.

The **Landing zone settings** page shows you the current version of your landing zone, and it lists any updated versions that may be available. You can choose the **Update** button if you need to update your version. 

**Note**  
Alternatively, you can update your landing zone manually. The update takes approximately the same amount of time, whether you use the **Update** button or the manual process. To perform a manual update of your landing zone only, see steps 1 and 2 that follow.

## Standard update procedure
<a name="manual-update"></a>

The following procedure walks you through the steps of a full update for AWS Control Tower from the console. To update an individual account, see [Update the account in the console](updating-account-factory-accounts.md#update-account-in-console).

**To update your landing zone, with any number of accounts per OU**

1. Open a web browser, and navigate to the AWS Control Tower console at [https://console.aws.amazon.com/controltower/home/update](https://console.aws.amazon.com/controltower/home/update).

1. Review the information in the wizard and choose **Update**. This updates the backend of the landing zone as well as your shared accounts. This process can take a little more than half an hour.

1. Update your member accounts (this procedure must be followed for an OU that contains over 1000 accounts). 

1. From the left navigation pane, choose **Organization**.

1. To update each account, follow the steps given in [Update the account in the console](updating-account-factory-accounts.md#update-account-in-console).

**Optionally Re-register OU to update accounts**  
For registered AWS Control Tower OUs with fewer than 1000 accounts, you can go to the **OU page** in the dashboard and select **Re-register OU** to update the accounts in that OU.

# Select a landing zone version
<a name="lz-version-selection"></a>

If you are running AWS Control Tower landing zone version 3.1 and above, you can choose to stay on the current version, or you can upgrade to a newer version, when you perform an **Update** or **Reset** operation on your landing zone configurations. The **Reset** operation is the best way to repair drift, in most situations.

You can choose a landing zone version in the AWS Control Tower console, or by means of the AWS Control Tower APIs.

**Note**  
If you choose to deploy a landing zone version that skips over an intermediate version, for example if you move from 3.1 to 3.3, AWS Control Tower automatically deploys the intermediate version as part of the update operation.  
In conversation, moving to a newer version is often referred to as an *upgrade*, not just an update. These two concepts are distinct, because you can *update* your landing zone settings without upgrading to a new version, for example, by changing the Regions that you govern. In the console, the **Update** button performs an in-place update or an upgrade operation, based on your current landing zone version and the one you select to deploy.

**Choose your landing zone version – console procedure**

1. From the AWS Control Tower console, navigate to the **Landing zone settings** page. In the table of available landing zones, select the new version. Remember that you can select versions 3.1 or later. Versions previous to 3.1 are not compatible with this feature.

1. When you select a version from the table, you can see the available actions. **Update** is available if your current version is earlier than the selected version. **Reset** is available if your current version is 3.1 or newer.

1. After you choose the version, select the **Update** button or the **Reset** button, in the upper right area of the screen.

1. You will see a confirmation display showing the landing zone version that you've selected for deployment. To continue, choose **Next** at the lower right. Your update operation may take a few minutes or more.

1. After the landing zone is updated, you may need to update your accounts. The easiest way to do the account updates is by a **Re-register OU** process for each of your registered OUs.

## Account updates, landing zone versions, and baselines
<a name="account-updates-and-baselines"></a>

AWS Control Tower landing zones are AWS resources that correspond to a set of baseline configurations. There is not a one-to-one mapping of baselines and landing zone versions. You can view a table that shows [Compatibility of OU baselines and landing zone versions](table-of-baselines.md).

When you jump a baseline version, you must update accounts after your landing zone update. For example, when upgrading from 3.1 to 3.2, you would not need to update your accounts, because these landing zone versions share the same baseline.

In contrast, if you upgrade from 3.1 to 3.3, you would have to update accounts, because the baseline version is 4.0, which encompasses 3.2 to 3.3.

For more information about the relationship between landing zone versions and baselines, see [Compatibility of OU baselines and landing zone versions](table-of-baselines.md).

# Retain AWS CloudTrail trails during landing zone update
<a name="retain-account-trails"></a>

You can choose to retain your account-level AWS CloudTrail trails when you upgrade your AWS Control Tower landing zone version.

**Prerequisites**
+ Your landing zone version is less than 3.0.
+ Your most recent **Create** or **Update** operation succeeded.

**To retain the account-level trail and opt in to organization-level CloudTrail trails**

1. Contact AWS Support with a request to allowlist your account.

1. The support team confirms when the target account is allowlisted.

1. After confirmation, update your landing zone to version 3.1 or greater, and choose **AWS CloudTrail configuration - Enabled**.

**To retain the account-level trail and opt out of CloudTrail trails managed by AWS Control Tower**

1. Contact AWS Support with a request to allowlist your account.

1. The support team confirms when the target account is allowlisted.

1. After confirmation, update your landing zone to version 3.1 or greater and choose **AWS CloudTrail configuration - Not Enabled**.

**Important**  
After the account-level CloudTrail trails are retained, we cannot remove trails or remove your accounts from the allow list.

**How to make a support request to retain your account-level trails**

If you need to retain account-level trails during a Landing Zone update, you must contact AWS Support to add your account to the AWS Control Tower allow list. Follow these steps to submit a support ticket:

1. Sign in to the AWS Management Console.

1. Navigate to the AWS Support Center.

1. Choose **Create case**.

1. For **Case type**, select **Technical support**.

1. For **Service**, choose **AWS Control Tower**.

1. For **Category**, select **General Guidance**.

1. In the **Subject** line, include the following phrase:

   `Allow retention of account-level trails during Landing Zone update`

1. In the **Description** field, provide the following details:
   + Your AWS Management account number
   + The selected home Region for your AWS Control Tower environment

1. Complete any other required fields in the support case form.

1. Choose **Submit** to create the support case.

After you submit the ticket, AWS Support reviews your request and adds your account to the allow list, if appropriate. You will receive further instructions and confirmation through the support case communication channel.

**Note**  
To delete the account-level trail after it is allowlisted, use the management account to delete the CloudFormation stack set or specific stack instance. All resources in the stack are deleted.

# Resolve drift with Reset and Re-register
<a name="resolve-drift"></a>

Drift often occurs as you and your organization members use the landing zone.

Drift detection is automatic in AWS Control Tower. Automated scans of your SCPs help you identify resources that need changes or configuration updates that must be made to resolve the drift. 

To repair many types of drift, choose **Reset** on the **Landing zone settings** page in the console. Also, you can resolve some types of drift by choosing to ** Re-register** an OU in the console. For controls, you can resolve drift programmatically by calling the **ResetEnabledControl** API. For more information about types of drift and how to resolve them, see [Types of governance drift](governance-drift.md) and [Detect and resolve drift in AWS Control Tower](drift.md).

One special case of drift resolution occurs for *role drift*. If a required role is not available, the console shows a warning page and some instructions on how to restore the role. Your landing zone is unavailable until the role drift is resolved. This drift reset is not the same as a full landing zone reset. For more information, see *Don't delete required roles* in the section called [Types of drift to resolve right away](drift.md#types-of-drift).

**When you take action to resolve drift on a landing zone version, two behaviors are possible.**  
If you are on the latest landing zone version, when you choose **Reset** and then choose **Confirm**, your drifted landing zone resources are reset to the saved AWS Control Tower configuration. The landing zone version stays the same.
If you are not on the latest version, you must choose **Update**. The landing zone is upgraded to the latest landing zone version. Drift is resolved as part of this process.

# Provision and update accounts using automation
<a name="update-accounts-by-script"></a>

**Note**  
Single account provision, update and customization must target an organizational unit (OU) with AWSControlTowerBaseline enabled. If an OU does not have the AWSControlTowerBaseline enabled, you can activate account auto-enrollment or use ResetEnabledBaseline and ResetEnabledControl APIs on EnabledBaselines and EnabledControls on that OU to enroll accounts. For details of AWSControlTowerBaseline, see: [Baseline types that apply at the OU level](types-of-baselines.md#ou-baseline-types). 

You can provision or update individual accounts in AWS Control Tower by several methods:
+ You can provision and customize accounts with *AWS Control Tower Account Factory for Terraform* (AFT). For more information, see [Overview of AWS Control Tower Account Factory for Terraform (AFT)](aft-overview.md).
+ You can update accounts with *Customizations for AWS Control Tower* (CfCT). For more information, see [Customizations for AWS Control Tower (CfCT) overview](cfct-overview.md).
+ **Script automation**: If you prefer to use an API approach, you can update accounts using the [API framework](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_Reference.html) of Service Catalog and the AWS CLI to update the accounts in a batch process. You'd call the [https://docs.aws.amazon.com//servicecatalog/latest/dg/API_UpdateProvisionedProduct.html](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_UpdateProvisionedProduct.html) API of Service Catalog for each account. You can write a script to update the accounts, one by one, with this API. More information about this approach, when adding Regions for governance, is available in a blog post, [Enabling guardrails in new AWS Regions](https://aws.amazon.com/blogs/architecture/field-notes-enabling-guardrails-in-new-aws-regions-the-aws-control-tower-supports/).

  You can update as many as five (5) accounts at a time. You must wait for at least one account update to succeed before beginning the next account update. Therefore, the process may take a long time if you have a lot of accounts, but it is not complicated. For more information about this approach, see the [Automate Account Provisioning in AWS Control Tower by Service Catalog APIs](automated-provisioning-walkthrough.md).

**Video walkthrough**  
The [Video Walkthrough](automated-provisioning-walkthrough.md#automated-provisioning-video) is designed for automated account provisioning with a script, but the steps also apply to account updating. Use the `UpdateProvisionedProduct` API instead of the `ProvisionProduct` API.

A further step of automation by script is to check for **Succeed** status of the AWS Control Tower `UpdateLandingZone` lifecycle event. Use it as a trigger to begin updating individual accounts as described in the video. A lifecycle event marks the completion of a sequence of activities, so the occurrence of this event means that a landing zone update is complete. The landing zone update must be complete before account updates begin. For more information about working with lifecycle events, see [Lifecycle Events](https://docs.aws.amazon.com//controltower/latest/userguide/lifecycle-events.html).

**Also see:**
+ [Use AWS CloudShell to work with AWS Control Tower](using-aws-with-cloudshell.md).
+ [Automate tasks in AWS Control Tower](automating-tasks.md).