Managed policies for AWS Control Tower

AWSControlTowerServiceRolePolicy – Updated managed policy

AWS Control Tower updated the Amazon CloudWatch Logs resource pattern in the AWSControlTowerServiceRolePolicy to support Landing Zone 4.0's optional AWS CloudTrail integration. The pattern changed from aws-controltower/CloudTrailLogs:* to aws-controltower/CloudTrailLogs*:*, adding a wildcard character after CloudTrailLogs to allow management of log groups with any suffix.

This update enables Landing Zone 4.0's optional AWS CloudTrail integration, which allows customers to enable and disable AWS CloudTrail integration multiple times. Each time the integration is enabled, Amazon CloudWatch Logs log groups are recreated with unique suffixes to avoid naming conflicts. The update is backward compatible with existing deployments.

AWSControlTowerCloudTrailRolePolicy – New managed policy

AWS Control Tower introduced the AWSControlTowerCloudTrailRolePolicy managed policy, which allows CloudTrail to create log streams and publish log events to Control Tower-managed Amazon CloudWatch Logs log groups.

This managed policy replaces the inline policy previously used by the AWSControlTowerCloudTrailRole, enabling AWS to update the policy without customer intervention. The policy is scoped to log groups with names matching the pattern aws-controltower/CloudTrailLogs*.

AWSControlTowerAccountServiceRolePolicy – Update to an existing policy

AWS Control Tower added a new policy that extends the following permissions:

AWSControlTowerIdentityCenterManagementPolicy – A new policy

AWS Control Tower added a new policy that allows customers to configure IAM Identity Center resources in accounts that are enrolled in AWS Control Tower, and it allows AWS Control Tower to remediate some types of drift when auto-enrolling accounts.

This change is needed so that customers can configure IAM Identity Center in AWS Control Tower, and so that AWS Control Tower can remediate auto-enrollment drift.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new CloudFormation permissions that allow AWS Control Tower to query and deploy stack set resources into member accounts when auto-enrolling the accounts into AWS Control Tower.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new permissions that allow customers to enable and disable service-linked AWS Config rules.

This change is needed so that customers can manage controls that are deployed by Config rules.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the AWS CloudFormation service APIs ActivateType, DeactivateType, and SetTypeConfiguration, on AWS::ControlTower types.

This change allows customers to provision proactive controls without the deployment of private CloudFormation Hook types.

AWSControlTowerAccountServiceRolePolicy – A new policy

AWS Control Tower added a new service-linked role that allows AWS Control Tower to create and manage event rules, and based on those rules, to manage drift detection for controls that are related to Security Hub CSPM.

This change is needed so that customers can view drifted resources in the console, when those resources are related to Security Hub CSPM controls that are part of the Security Hub CSPM Service-managed Standard: AWS Control Tower.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new permissions that allow AWS Control Tower to make calls to the EnableRegion, ListRegions, and GetRegionOptStatus APIs implemented by the AWS Account Management service, to make the opt-in AWS Regions available for customer accounts in the landing zone (Management account, Log archive account, Audit account, OU member accounts).

This change is needed so that customers can have the option to expand Region governance by AWS Control Tower into the opt-in Regions.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new permissions that allow AWS Control Tower to assume the AWSControlTowerBlueprintAccess role in the blueprint (hub) account, which is a dedicated account in an organization, containing pre-defined blueprints stored in one or more Service Catalog Products. AWS Control Tower assumes the AWSControlTowerBlueprintAccess role to perform three tasks: create a Service Catalog Portfolio, add the requested blueprint Product, and share the Portfolio to a requested member account at account provisioning time.

This change is needed so that customers can provision customized accounts through AWS Control Tower Account Factory.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new permissions that allow customers to set up organization-level AWS CloudTrail trails, starting in landing zone version 3.0.

The organization-based CloudTrail feature requires customers to have trusted access enabled for the CloudTrail service, and the IAM user or role must have permission to create an organization-level trail in the management account.

AWSControlTowerServiceRolePolicy – Update to an existing policy

AWS Control Tower added new permissions that allow customers to use KMS key encryption.

The KMS feature allows customers to provide their own KMS key to encrypt their CloudTrail logs. Customers also can change the KMS key during landing zone update or repair. When updating the KMS key, AWS CloudFormation needs permissions to call the AWS CloudTrail PutEventSelector API. The change to the policy is to allow the AWSControlTowerAdmin role to call the AWS CloudTrail PutEventSelector API.

AWS Control Tower started tracking changes

AWS Control Tower started tracking changes for its AWS managed policies.