# Managed policies for AWS Control Tower
<a name="managed-policies-table"></a>

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. 


| Change | Description | Date | 
| --- | --- | --- | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower moved the `cloudformation:BatchDescribeTypeConfigurations` permission from the resource-scoped hooks statement to a new statement with `Resource: "*"`, because CloudFormation does not support resource-level permissions for this API. | May 19, 2026 | 
| [AWSControlTowerAccountServiceRolePolicy](access-control-managing-permissions.md#account-service-role-policy) – Update to an existing policy | AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the AWS CloudFormation service API `BatchDescribeTypeConfigurations` for an internal improvement to service-linked hooks. | May 19, 2026 | 
| [AWSControlTowerAccountServiceRolePolicy](access-control-managing-permissions.md#account-service-role-policy) – Update to an existing policy | AWS Control Tower updated an existing policy to improve validation precision for Amazon EventBridge rule conditions. The update moves the `events:detail-type` condition from `StringEquals` to `ForAllValues:StringEquals` for better event pattern matching control while maintaining the same functional permissions. | December 30, 2025 | 
| [AWSControlTowerAccountServiceRolePolicy](access-control-managing-permissions.md#account-service-role-policy) – Update to an existing policy | AWS Control Tower added a new policy that extends the following permissions:[See the AWS documentation website for more details](http://docs.aws.amazon.com/controltower/latest/userguide/managed-policies-table.html) | November 10, 2025 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Updated managed policy | AWS Control Tower updated the Amazon CloudWatch Logs resource pattern in the AWSControlTowerServiceRolePolicy to support Landing Zone 4.0's optional AWS CloudTrail integration. The pattern changed from `aws-controltower/CloudTrailLogs:*` to `aws-controltower/CloudTrailLogs*:*`, adding a wildcard character after `CloudTrailLogs` to allow management of log groups with any suffix.<br />This update enables Landing Zone 4.0's optional AWS CloudTrail integration, which allows customers to enable and disable AWS CloudTrail integration multiple times. Each time the integration is enabled, Amazon CloudWatch Logs log groups are recreated with unique suffixes to avoid naming conflicts. The update is backward compatible with existing deployments. | October 31, 2025 | 
| [AWSControlTowerCloudTrailRolePolicy](access-control-managing-permissions.md#AWSControlTowerCloudTrailRolePolicy) – New managed policy | AWS Control Tower introduced the AWSControlTowerCloudTrailRolePolicy managed policy, which allows CloudTrail to create log streams and publish log events to Control Tower-managed Amazon CloudWatch Logs log groups.<br />This managed policy replaces the inline policy previously used by the AWSControlTowerCloudTrailRole, enabling AWS to update the policy without customer intervention. The policy is scoped to log groups with names matching the pattern `aws-controltower/CloudTrailLogs*`. | October 31, 2025 | 
| [AWSControlTowerIdentityCenterManagementPolicy](access-control-managing-permissions.md#AWSControlTowerIdentityCenterManagementPolicy) – A new policy | AWS Control Tower added a new policy that allows customers to configure IAM Identity Center resources in accounts that are enrolled in AWS Control Tower, and it allows AWS Control Tower to remediate some types of drift when auto-enrolling accounts. <br />This change is needed so that customers can configure IAM Identity Center in AWS Control Tower, and so that AWS Control Tower can remediate auto-enrollment drift. | October 10, 2025 | 
|  [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new CloudFormation permissions that allow AWS Control Tower to query and deploy stack set resources into member accounts when auto-enrolling the accounts into AWS Control Tower.  | October 10, 2025 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new permissions that allow customers to enable and disable service-linked AWS Config rules.<br />This change is needed so that customers can manage controls that are deployed by Config rules.  | June 5, 2025 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the AWS CloudFormation service APIs `ActivateType`, `DeactivateType`, and `SetTypeConfiguration`, on `AWS::ControlTower types`.<br />This change allows customers to provision proactive controls without the deployment of private CloudFormation Hook types. | December 10, 2024 | 
| [AWSControlTowerAccountServiceRolePolicy](access-control-managing-permissions.md#account-service-role-policy) – A new policy | AWS Control Tower added a new service-linked role that allows AWS Control Tower to create and manage event rules, and based on those rules, to manage drift detection for controls that are related to Security Hub CSPM. <br />This change is needed so that customers can view drifted resources in the console, when those resources are related to Security Hub CSPM controls that are part of the **Security Hub CSPM Service-managed Standard: AWS Control Tower**. | May 22, 2023 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the `EnableRegion`, `ListRegions`, and `GetRegionOptStatus` APIs implemented by the AWS Account Management service, to make the opt-in AWS Regions available for customer accounts in the landing zone (Management account, Log archive account, Audit account, OU member accounts).<br />This change is needed so that customers can have the option to expand Region governance by AWS Control Tower into the opt-in Regions. | April 6, 2023 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new permissions that allow AWS Control Tower to assume the `AWSControlTowerBlueprintAccess` role in the blueprint (hub) account, which is a dedicated account in an organization, containing pre-defined blueprints stored in one or more Service Catalog Products. AWS Control Tower assumes the `AWSControlTowerBlueprintAccess` role to perform three tasks: create a Service Catalog Portfolio, add the requested blueprint Product, and share the Portfolio to a requested member account at account provisioning time.<br />This change is needed so that customers can provision customized accounts through AWS Control Tower Account Factory. | October 28, 2022 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new permissions that allow customers to set up organization-level AWS CloudTrail trails, starting in landing zone version 3.0.<br />The organization-based CloudTrail feature requires customers to have trusted access enabled for the CloudTrail service, and the IAM user or role must have permission to create an organization-level trail in the management account. | June 20, 2022 | 
| [AWSControlTowerServiceRolePolicy](access-control-managing-permissions.md#AWSControlTowerServiceRolePolicy) – Update to an existing policy | AWS Control Tower added new permissions that allow customers to use KMS key encryption.<br />The KMS feature allows customers to provide their own KMS key to encrypt their CloudTrail logs. Customers also can change the KMS key during landing zone update or repair. When updating the KMS key, AWS CloudFormation needs permissions to call the AWS CloudTrail `PutEventSelector` API. The change to the policy is to allow the **AWSControlTowerAdmin** role to call the AWS CloudTrail `PutEventSelector` API. | July 28, 2021 | 
| AWS Control Tower started tracking changes | AWS Control Tower started tracking changes for its AWS managed policies. | May 27, 2021 |