# AWS Control Tower release notes
<a name="release-notes"></a>

The following sections show details about AWS Control Tower releases, since the inception of the service. Some releases require an update for an AWS Control Tower landing zone, and other releases are incorporated into the service automatically. 

Features and releases are listed in reverse chronological order (most recent first) based on the date on which they were officially announced to the public.

**Topics**
+ [January 2026 - Present](2026-all.md)
+ [January 2025 - December 2025](2025-all.md)
+ [January - December 2024](2024-all.md)
+ [January - December 2023](2023-all.md)
+ [January - December 2022](2022-all.md)
+ [January - December 2021](2021-all.md)
+ [January - December 2020](2020-all.md)
+ [June - December 2019](2019-all.md)

# January 2026 - Present
<a name="2026-all"></a>

Since January 2026, AWS Control Tower has released the following updates:
+ [AWS Control Tower available in the European Sovereign Cloud](#eusc-region)

## AWS Control Tower available in the European Sovereign Cloud
<a name="eusc-region"></a>

**January 13, 2026**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is now available in the European Sovereign Cloud. For more information about AWS Control Tower in the European Sovereign Cloud, see the [AWS Control Tower User Guide for the European Sovereign Cloud](https://docs.aws.eu/esc/latest/userguide/controltower.html).

# January 2025 - December 2025
<a name="2025-all"></a>

Since January 2025, AWS Control Tower has released the following updates:
+ [AWS Control Tower landing zone version 4.0](#lz-40)
+ [AWS Control Tower adds additional 279 AWS Config controls to Control Catalog](#additional-config-controls)
+ [AWS Control Tower available in Asia Pacific (New Zealand) Region](#akl-region)
+ [AWS Control Tower supports automatic account enrollment](#auto-enroll)
+ [AWS Control Tower updates Python version](#updated-python)
+ [AWS Control Tower supports IPv6 addresses](#ct-ipv6)
+ [AWS Control Tower reduces drift](#no-attached-scp-drift)

  [Account Factory for Terraform version 1.15.0 available](#aft-1-15)
+ [Updated controls with Nitro instance types](#nitro-updates)
+ [AWS Control Tower available in Asia Pacific (Taipei) Region](#new-region-tpe)
+ [AWS Control Tower supports PrivateLink](#ct-privatelink)
+ [Support for additional industry frameworks, updated metadata](#hg-1-5)
+ [Service-linked AWS Config controls](#managed-config-controls)
+ [Enabled controls console view gives centralized visibility](#enabled-controls-page)
+ [Account Factory for Terraform (AFT) supports new configurations at deployment](#aft-configurations)
+ [AWS Control Tower introduces account-level reporting for baseline APIs](#enabled-baseline-drift)
+ [AWS Control Tower available in AWS Asia Pacific (Thailand) and Mexico (Central) Regions](#new-regions-bkk-qro)
+ [Additional AWS Config controls available](#new-config-controls)
+ [Deregister and delete actions for OUs](#deregister-and-delete)
+ [Control Catalog supports IPv6 addresses](#ipv6)

## AWS Control Tower landing zone version 4.0
<a name="lz-40"></a>

**November 17, 2025**

(Update required for AWS Control Tower landing zone to version 4.0. For information, see [Update your landing zone](update-controltower.md)).

AWS Control Tower landing zone 4.0 is a major update that introduces a flexible Controls-Only experience, allowing customers to customize how they implement and manage their AWS multi-account environment. This release significantly changes how AWS Control Tower integrates with AWS services and manages organizational resources. For information on key changes, see [Landing Zone v4.0 migration guide](landing-zone-v4-migration-guide.md).

**Key Changes and Features**
+ Optional Service Integrations - landing zone 4.0 lets you choose which service integrations to enable in your environment. Disabling an integration will clean up the AWS Control Tower deployed resources specific to that integration in the managed accounts and the service integration central accounts. You can now selectively enable or disable service integrations: 
  + AWS Config
  + AWS CloudTrail
  + Security Roles
  + AWS Backup

*Important: If you want to disable AWS Config integration, you must also disable Security Roles, IAM Identity Center, and AWS Backup integrations.*
+ Dedicated Resources instead of using shared resources - landing zone 4.0 now creates dedicated resources for key services. This separation provides better resource isolation and more granular control over service-specific resources:
  + Separate S3 buckets for AWS Config
  + Separate S3 buckets for AWS CloudTrail
  + Individual SNS topics for each service
+ Flexible Organization Structure - landing zone 4.0 removes previous organizational structure requirements:
  + You are no longer required to use a Security OU
  + You can define your own organizational structure
  + The only requirement is that all hub accounts must be in the same OU
+ Dedicated controls experience - You can now create a minimal landing zone setup that includes:
  + Basic AWS Organizations integration
  + Ability to enable controls without enabling the `AWSControlTowerBaseline` baseline 
  + Custom governance configurations based on your needs
+ AWS Config Changes - Landing Zone 4.0 introduces several improvements to the AWS Config integration implementation:
  + A new Config spoke baseline specifically for detective controls
  + Service-linked Config aggregator (SLCA) in the Config hub account
  + Replacement of traditional organization and account aggregators
+ Optional Manifest:
  + The manifest field is now optional, allowing you:
    + Create landing zones without any service integrations
    + More flexibility in initial setup
    + Customized deployment options

## AWS Control Tower adds additional 279 AWS Config controls to Control Catalog
<a name="additional-config-controls"></a>

**November 14, 2025**

(No update required for AWS Control Tower landing zone.)

The AWS Control Tower now includes additional 279 AWS Config controls as part of the Control Catalog. You can view the controls in the AWS Control Tower console, and through the APIs.

Certain controls have relationships with other controls. These relationships also are expressed in the AWS Control Tower console and in the APIs. Relationship types include **Complementary**, **Mutually exclusive**, and **Alternative**.

## AWS Control Tower available in Asia Pacific (New Zealand) Region
<a name="akl-region"></a>

**October 28, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is now available in the Asia Pacific (New Zealand) Region.

For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower supports automatic account enrollment
<a name="auto-enroll"></a>

**October 15, 2025**

(No update required for AWS Control Tower landing zone.)

For customers operating AWS Control Tower landing zone version 3.1 or higher, AWS Control Tower now allows automatic enrollment of accounts into OUs. If you opt in for automatic enrollment of accounts, AWS Control Tower applies an OU's enabled baseline resources and controls to an account, when you move it into a new OU. Controls and baselines from the previous OU are removed. In most cases, no drift is created by this action.

**To activate auto-enrollment:** You can select auto-enrollment of accounts on the landing zone **Settings** page in the AWS Control Tower console, or by calling the AWS Control Tower `CreateLandingZone` or `UpdateLandingZone` APIs, with the value of the `RemediationType` parameter set to **Inheritance Drift**.

**To apply auto-enrollment:** After selecting this option in your **Settings** page, you can move an account by means of the AWS Organizations console, the AWS Organizations `MoveAccount` API, or the AWS Control Tower console.

**To unenroll an account with auto-enrollment:** If you move an account outside an OU that's registered, AWS Control Tower removes all deployed baseline resources and controls automatically.

For more information about auto-enrollment, see [Optionally configure auto-enrollment for accounts](configure-auto-enroll.md).

This release also includes an update to a managed policy and a new managed policy. We updated the [AWSControlTowerServiceRolePolicy](https://docs.aws.amazon.com//controltower/latest/userguide/managed-policies-table.html) and added the new [AWSControlTowerIdentityCenterManagementPolicy](https://docs.aws.amazon.com//controltower/latest/userguide/managed-policies-table.html).

We updated the AWS Control Tower `CreateLandingZone` and `UpdateLandingZone` APIs to add a new `RemediationType`, called `Inheritance Drift`.

## AWS Control Tower updates Python version
<a name="updated-python"></a>

**September 3, 2025**

(No update required for AWS Control Tower landing zone.)

Python version 3.9 is being deprecated. AWS Control Tower has updated the Python versions in your AWS Control Tower environments. No actions are required, and this update does not affect your existing workloads. 

## AWS Control Tower reduces drift
<a name="no-attached-scp-drift"></a>

 **August 20, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has updated the functionality of service control policy (SCP) drift. With this release, two types of governance drift are handled directly by AWS Control Tower and no longer cause drift in your environment. 

**Two types of governance drift removed**
+ **SCP attached to managed OU** – This type of drift occurred when an SCP for a control was attached to any other OU. This occurrence was especially common when you updated OUs from outside of the AWS Control Tower console.
+ **SCP attached to member account** – This type of drift commonly occured when an SCP for a control was attached to an account from outside the AWS Control Tower console.

For more information about drift, see [Detect and resolve drift in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html).

## AWS Control Tower supports IPv6 addresses
<a name="ct-ipv6"></a>

**August 18, 2025**

(No update required for AWS Control Tower landing zone.)

The AWS Control Tower API now supports Internet Protocol version 6 (IPv6) addresses through our new dual-stack endpoints. The existing endpoints supporting IPv4 remains available for backwards compatibility. The new dual-stack domains are available either [from the internet](https://docs.aws.amazon.com/general/latest/gr/controlcatalog.html) or [from within an Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/controlcatalog/latest/userguide/vpc-interface-endpoints.html) using [AWS PrivateLink](https://aws.amazon.com/privatelink/)*.*

## Account Factory for Terraform version 1.15.0 available
<a name="aft-1-15"></a>

 **July 28, 2025**

(No update required for AWS Control Tower landing zone.)

Version 1.15.0 of AWS Control Tower Account Factory for Terraform (AFT) is available. For more information, see [the AFT GitHub repository](https://github.com/aws-ia/terraform-aws-control_tower_account_factory/releases/tag/1.15.0).

## Updated controls with Nitro instance types
<a name="nitro-updates"></a>

 **July 24, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has updated the eight proactive controls in the Control Catalog (formerly called the Control Library) that enforce the Amazon EC2 intance types. This update allows you to instantiate some new Nitro instance types, and it removes some deprecated *u-series* instance types. 

**Updated controls**
+ [https://docs.aws.amazon.com/controltower/latest/controlreference/ec2-auto-scaling-rules.html#ct-autoscaling-pr-10-description](https://docs.aws.amazon.com/controltower/latest/controlreference/ec2-auto-scaling-rules.html#ct-autoscaling-pr-10-description)
+ [https://docs.aws.amazon.com/controltower/latest/controlreference/ec2-auto-scaling-rules.html#ct-autoscaling-pr-11-description](https://docs.aws.amazon.com/controltower/latest/controlreference/ec2-auto-scaling-rules.html#ct-autoscaling-pr-11-description)
+ [https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-15-description](https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-15-description)
+ [https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-16-description](https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-16-description)
+ [https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-17-description](https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-17-description)
+ [https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-18-description](https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-18-description)
+ [https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-19-description](https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-19-description)
+ [https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-20-description](https://docs.aws.amazon.com//controltower/latest/controlreference/ec2-rules.html#ct-ec2-pr-20-description)

**New instance types available**
+ `c8gd`
+ `c8gn`
+ `i7i`
+ `m8gd`
+ `p6-b200`
+ `r8gd`

**Instance types removed**
+ `u-12tb1`
+ `u-18tb1`
+ `u-24tb1`
+ `u-9tb1`

The updated controls are available in all AWS Regions where AWS Control Tower is available. For a list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower available in Asia Pacific (Taipei) Region
<a name="new-region-tpe"></a>

**July 23, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is now available in the Asia Pacific (Taipei) Region:

For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower supports PrivateLink
<a name="ct-privatelink"></a>

 **June 30, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports [AWS PrivateLink](https://aws.amazon.com/privatelink/)**. You can invoke AWS Control Tower and Control Catalog APIs from within your Amazon Virtual Private Cloud (VPC) without traversing the public internet. AWS PrivateLink provides private connectivity among virtual private clouds (VPCs), supported services and resources, and your on-premises networks. AWS PrivateLink support for AWS Control Tower is available in all AWS Regions where AWS Control Tower is available. 

## Support for additional industry frameworks, updated metadata
<a name="hg-1-5"></a>

**June 12, 2025**

(No update required for AWS Control Tower landing zone.)

With this release, AWS Control Tower expands to include support for 10 industry frameworks. For a list of frameworks, see [Frameworks supported](https://docs.aws.amazon.com//controltower/latest/controlreference/frameworks-supported.html).

For example, you can get started by navigating to the Control Catalog page in the AWS Control Tower console and searching for a framework, such as **PCI-DSS-v4.0**, to view all controls related to that framework. Or you can examine controls and frameworks programmatically, by calling the new [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControlMappings.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControlMappings.html) API.

The metadata definitions associated with controls are changing, to better support these additional industry framewoks. The changes to metadata can affect the way you evaluate controls for enablement. For example, the values for NIST, PCI, and CIS metadata may have changed. We recommend that you r*eview the mappings* for your enabled controls, on the **Control details** page in the console.

In the console and the API, we introduced 3 new metadata fields. Collectively, these fields describe a hierarchy that helps you understand how to categorize and enable controls. The fields are: **Domain**, **Objective**, and [https://docs.aws.amazon.com//controltower/latest/controlreference/common-controls-list.html](https://docs.aws.amazon.com//controltower/latest/controlreference/common-controls-list.html). We have redefined our [control objectives](https://docs.aws.amazon.com/controltower/latest/controlreference/control-catalog-objectives.html) to align better with the broader scope of industry frameworks that are available. For more information about this hierarchy, see [Ontology overview](https://docs.aws.amazon.com/controlcatalog/latest/userguide/ontology-overview.html).
+ These metadata changes are reflected in the AWS Control Tower console, and the console experience is consistent across the AWS Control Tower and AWS Config consoles.
+ To view control information in the AWS Control Tower console, you must add additional `controlcatalog` permissions to your IAM policies. For more information, see [Permissions required to use the AWS Control Tower console](https://docs.aws.amazon.com/controltower/latest/userguide/additional-console-required-permissions.html).
+ Each control now has a new field called `GovernedResources`, which shows the resource types that the control governs. In some cases, this field shows the service prefix for the resources, and in other instances, it can be blank. For more information, see [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html) and [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControls.html).

With this release, we have renamed the *Controls Library* to *Control Catalog*, for consistency with other terminology.

## Service-linked AWS Config controls
<a name="managed-config-controls"></a>

 **June 12, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower announces support for the AWS Control Tower detective controls to be deployed as service-linked AWS Config rules.

With this release, AWS Control Tower now deploys service-linked Config rules directly in your enrolled accounts, replacing the previous method of deployment with AWS CloudFormation stack sets. This change significantly improves deployment speed. Also, these service-linked Config rules help to ensure consistent governance of your resources, because they prevent unintentional configuration drift that could be caused by manual changes to CloudFormation stack sets or Config rules.

**Going forward, all AWS Control Tower controls implemented by AWS Config rules will be deployed with this mechanism, which directly calls the AWS Config APIs.**

**Important**  
Before you adopt service-linked Config rules, review the existing customizations, such as remediations, that you have made to Config rules outside of AWS Control Tower, because these customizations will be removed during the transition. The AWS Config APIs do not support adding remediation configurations for service-linked AWS Config rules. See [https://docs.aws.amazon.com/config/latest/APIReference/API_PutRemediationConfigurations.html](https://docs.aws.amazon.com/config/latest/APIReference/API_PutRemediationConfigurations.html).

**Details and action required**
+ When you **Update** or **Reset** your landing zone, AWS Control Tower updates the **Mandatory** controls that govern the Security OU. To complete the upgrade, you also must **Reset** each of the detective controls that are implemeneted with AWS Config rules, or **Re-register** the OU. 
+ The full scope of this upgrade applies to you if your AWS Control Tower landing zone version is 3.2 or above. When you apply this update, your existing AWS Config rules are changed to become service-managed Config rules, along with the new deployment method.
+ If your landing zone is version 3.1 or below, any new Config rules will be deployed with the new method, no longer with Stack Sets. Your existing Config rules are NOT updated to become service-managed Config rules. They will remain of the standard type.
+ You can identify service-linked config rules by their resource ARN, which has the form:

  ```
  arn:aws:config:*:*:config-rule/aws-service-rule/controltower.*/*
  ```

The intended functionality of controls, when implemented by service-linked AWS Config rules, has not changed. The detective, service-linked Config rules in AWS Control Tower can identify non-compliant resources within your accounts, such as policy violations, and provide alerts through the dashboard. To maintain consistency, prevent configuration drift, and simplify your overall user experience, these rules now can be modified only through AWS Control Tower.

As part of this release, we added four new permissions to the policy for the service-linked role (SLR) [https://docs.aws.amazon.com//controltower/latest/userguide/access-control-managing-permissions.html#AWSServiceRoleForAWSControlTower](https://docs.aws.amazon.com//controltower/latest/userguide/access-control-managing-permissions.html#AWSServiceRoleForAWSControlTower), so that you can enable and disable service-linked AWS Config rules for your enrolled accounts.

```
config:DescribeConfigRules
config:TagResource
config:PutConfigRule
config:DeleteConfigRule
```

## Enabled controls console view gives centralized visibility
<a name="enabled-controls-page"></a>

**May 21, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower added a new page in the console that displays all of your enabled controls in a single, centralized view. Previously, controls were viewable only with the account or OU on which they were enabled. The consolidated view makes it easier for you to identify gaps in your control governance, at scale.

On the **Enabled controls** page, you can filter the controls according to behavior: Preventive, Detective, or Proactive. You also can filter according to control implementation, such as SCP. For each control, you can see how many OUs have this control enabled.

To see the **Enabled controls** page, navigate to the **Controls** section in the AWS Control Tower console.

## Account Factory for Terraform (AFT) supports new configurations at deployment
<a name="aft-configurations"></a>

**May 13, 2025**

(No update required for AWS Control Tower landing zone.)

The AWS Control Tower account customization framework, Account Factory for Terraform (AFT), now supports three additional optional configurations at the time of deployment. You can deploy AFT into a custom virtual private cloud (VPC), specify the Terraform project name for your AFT deployment, and tag the resources that AFT creates.

For more information, see [Deploy AWS Control Tower Account Factory for Terraform (AFT)](https://docs.aws.amazon.com/controltower/latest/userguide/aft-getting-started.html).

## AWS Control Tower introduces account-level reporting for baseline APIs
<a name="enabled-baseline-drift"></a>

 **May 12, 2025**

(No update required for AWS Control Tower landing zone.)

You can now view *drift* and *account enrollment* statuses programmatically for your governed accounts, by calling the baseline APIs. With this capability, you can identify when account and OU baseline configurations are *drifted*, or out of sync. To view the drift status programmatically, you can call the [https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListEnabledBaselines.html](https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListEnabledBaselines.html) API for your enabled baselines. To view statuses for individual accounts programmatically with the `ListEnabledBaselines` API, use the `includeChildren` flag. You can filter by these statuses, and see only the accounts and OUs that require your attention.

The [https://docs.aws.amazon.com//controltower/latest/userguide/types-of-baselines.html#ou-baseline-types](https://docs.aws.amazon.com//controltower/latest/userguide/types-of-baselines.html#ou-baseline-types) sets up best practice configurations, controls, and resources that are required for governance. When you enable this baseline on an organizational unit (OU), member accounts within the OU are enrolled into AWS Control Tower automatically. The AWS Control Tower baseline APIs include CloudFormation support, which allows you to build automations that manage your OUs and accounts with infrastructure as code (IaC).

 To learn more about these APIs, review [Baselines](https://docs.aws.amazon.com//controltower/latest/userguide/types-of-baselines.html) in the *AWS Control Tower User Guide*. The baseline APIs and newly launched reporting capabilities for *drift* and *account enrollment* status are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower available in AWS Asia Pacific (Thailand) and Mexico (Central) Regions
<a name="new-regions-bkk-qro"></a>

**May 9, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is now available in the following AWS Regions:
+ Asia Pacific (Thailand)
+ Mexico (Central)

For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## Additional AWS Config controls available
<a name="new-config-controls"></a>

 **April 11, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports an additional 223 managed AWS Config rules for various use cases, such as security, cost, durability, and operations. With this launch, you can now use AWS Control Tower to search and discover the AWS Config rules that you need to govern your multi-account environment; then enable and manage the controls directly from AWS Control Tower.

To get started from the AWS Control Tower console, go to the Control Catalog and search for controls with the implementation filter AWS Config. You can enable the controls directly from the AWS Control Tower console. 

For more details, see [Integrated AWS Config controls available in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/config-controls.html).

With this launch, we've updated the `ListControls` and `GetControl` APIs to support three new fields: **CreateTime**, **Severity**, and **Implementation**, which you can use when searching for a control in Control Catalog. For example, you can now programmatically find high-severity AWS Config rules that were created after your last evaluation.

You can search for the new AWS Config rules in all AWS Regions where AWS Control Tower is available. To deploy a rule, refer to the list of supported AWS Regions for that rule, to see where it can be enabled.

## Deregister and delete actions for OUs
<a name="deregister-and-delete"></a>



 **April 8, 2025**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports separate console actions to deregister an OU and to delete an OU. You must deregister the OU before you delete it. You can remove an OU from AWS Control Tower by deregistering it.

For more information, see [Remove an OU](remove-ou.md).

## Control Catalog supports IPv6 addresses
<a name="ipv6"></a>

 **April 2, 2025**

(No update required for AWS Control Tower landing zone.)

The AWS Control Tower Control Catalog API now supports Internet Protocol version 6 (IPv6) addresses through our new dual-stack endpoints. The existing Control Catalog endpoints supporting IPv4 remains available for backwards compatibility. The new dual-stack domains are available either [from the internet](https://docs.aws.amazon.com/general/latest/gr/controlcatalog.html) or [from within an Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/controlcatalog/latest/userguide/vpc-interface-endpoints.html) using [AWS PrivateLink](https://aws.amazon.com/privatelink/)*.*

# January - December 2024
<a name="2024-all"></a>

In 2024, AWS Control Tower released the following updates:
+ [AWS Control Tower CfCT supports GitHub and RCPs](#cfct-github-support)
+ [AWS Control Tower adds preventive controls with declarative policies](#declarative-policies)
+ [AWS Control Tower adds prescriptive backup plan options](#aws-backup)
+ [AWS Control Tower integrates AWS Config controls](#config-controls)
+ [AWS Control Tower improves hook management and adds proactive control Regions](#hook-management)
+ [AWS Control Tower launches managed resource control policies](#rcp-controls)
+ [AWS Control Tower reports control policy drift](#policy-drift)
+ [New `ResetEnabledControl` API](#reset-enabled-control-api)
+ [Control catalog updates `GetControl` API](#getcontrol-api-update)
+ [AWS Control Tower AFT supports GitLab](#aft-gitlab-support)
+ [AWS Control Tower available in AWS Asia Pacific (Malaysia) Region](#kul-region)
+ [AWS Control Tower supports up to 1000 accounts per OU](#1000-accounts)
+ [AWS Control Tower adds landing zone version selection](#lz-version-select)
+ [Descriptive control API available, expanded access to Regions and controls](#get-and-list-controls)
+ [AWS Control Tower supports AFT and CfCT in opt-in Regions](#aft-cfct-regions)
+ [AWS Control Tower adds the `ListLandingZoneOperations` API](#lz-operations-api)
+ [AWS Control Tower supports up to 100 concurrent control operations](#multiple-controls)
+ [AWS Control Tower available in AWS Canada West (Calgary)](#yyc-available)
+ [AWS Control Tower supports self-service quota adjustments](#service-quotas)
+ [AWS Control Tower releases the *Controls Reference Guide*](#controls-reference-guide)
+ [AWS Control Tower updates and renames two proactive controls](#update-2-proactive-controls)
+ [Deprecated controls no longer available](#deprecated-controls)
+ [AWS Control Tower supports tagging `EnabledControl` resources in CloudFormation](#cfn-tagging)
+ [AWS Control Tower supports APIs for OU registration and configuration with baselines](#baseline-apis)

## AWS Control Tower CfCT supports GitHub and RCPs
<a name="cfct-github-support"></a>

 **December 9, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports GitHubTM as an option for a third-party version control system (VCS) and configuration source for Customizations for AWS Control Tower (CFCT). For more infomration, see [Set up GitHub as the configuration source](cfct-github-configuration-source.md).

AWS Control Tower now supports resource control policies (RCPs) for Customizations for AWS Control Tower (CFCT). For more information, see [CfCT customization guide](cfct-customizations-dev-guide.md).

## AWS Control Tower adds preventive controls with declarative policies
<a name="declarative-policies"></a>

 **December 1, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports preventive controls that are implemented by declarative policies from AWS Organizations. Declarative policies are applied directly at the service level. This approach ensures that the specified configuration is enforced, even when new features or APIs are introduced by the service. For more information, see [Controls implemented with declarative policies](https://docs.aws.amazon.com//controltower/latest/controlreference/declarative-controls.html).

## AWS Control Tower adds prescriptive backup plan options
<a name="aws-backup"></a>

 **November 25, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports prescriptive AWS Backup plans that allow you to incorporate a data backup and recovery workflow directly into your landing zone. The backup plan includes predefined rules, such as retention days, backup frequency, and the time window during which backup occurs. These rules define how to back up your AWS resources across all of your governed member accounts. When you apply a backup plan to the landing zone, AWS Control Tower ensures that the plan is consistent for all member accounts, and aligned with best practice recommendations from AWS Backup.

For more information, see [AWS Backup and AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/backup.html).

## AWS Control Tower integrates AWS Config controls
<a name="config-controls"></a>

**November 21, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has integrated selected AWS Config controls, so that they can be viewed and managed by AWS Control Tower.

For more information, see [Integrated AWS Config controls available in AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/config-controls.html)

## AWS Control Tower improves hook management and adds proactive control Regions
<a name="hook-management"></a>

**November 20, 2024**

(No update required for AWS Control Tower landing zone.)

With this release, you can utilize the full capacity of CloudFormation hooks, without restriction by AWS Control Tower. Also, proactive controls are available in the Canada West (Calgary) Region and Asia Pacific (Malaysia) Region.

Previously, all CloudFormation hooks in your environment needed to be protected by the **CT.CLOUDFORMATION.PR.1** control, so that only AWS Control Tower could modify them. With this release, you can deploy CloudFormation hooks, and modify these hooks, without the restrictions that previously were required by the AWS Control Tower service. 

If you currently deploy proactive controls, you can move to this improved hook functionality. To reset all proactive controls on an OU, reset any single proactive control that is active on that OU. You can perform the reset by calling the `ResetEnabledControl` API, or by updating the control from the console, with the **Reset** functionality. When you complete this reset task for any proactive control, AWS Control Tower moves all of the proactive control hooks on the OU to the new capability. Repeat this process for each OU that deploys proactive controls.

After you reset any proactive control, remove the **CT.CLOUDFORMATION.PR.1** control on your AWS Control Tower OUs, unless you enabled that control for another purpose. If you don't turn off the **CT.CLOUDFORMATION.PR.1** control, you won't be able to create and modify your other CloudFormation hooks.

For more information, see [Update proactive control hooks](https://docs.aws.amazon.com//controltower/latest/controlreference/get-new-hooks.html).

## AWS Control Tower launches managed resource control policies
<a name="rcp-controls"></a>

 **November 15, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower offers a new type of preventive control, implemented with resource control policies (RCPs). These controls help you establish a data perimeter across your AWS Control Tower environment, to protect your resources from unintended access.

For example, you can enable RCP-based controls for Amazon S3, AWS Security Token Service, AWS Key Management Service, Amazon SQS, and AWS Secrets Manager services. An RCP-based control can enforce a requirement such as "Require that the organization's Amazon S3 resources are accessible only by IAM principals that belong to the organization, or by an AWS service," regardless of the permissions granted on individual bucket policies.

You can configure the new RCP-based controls, and certain existing SCP-based preventive controls, to specify AWS IAM exemptions for principals and resources. If you don't want a principal or a resource to be governed by the control, you can configure an exemption.

By combining preventive, proactive, and detective controls in AWS Control Tower, you can monitor whether your multi-account AWS environment is secure and managed in accordance with best practices, such as the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com//securityhub/latest/userguide/securityhub-standards-fsbp.html).

These new RCP-based preventive controls are available in AWS Regions where AWS Control Tower is available. For a full list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower reports control policy drift
<a name="policy-drift"></a>

**November 15, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now reports control policy drift, for controls implemented with resource control policies (RCPs), and controls that are part of the **Security Hub CSPM Service-managed Standard: AWS Control Tower**. This type of drift can be remediated through the new `ResetEnabledControl` API. For more information, see [Types of governance drift](https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.html).

## New `ResetEnabledControl` API
<a name="reset-enabled-control-api"></a>

 **November 14, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower announces a new API to help you manage control drift programmatically. You can repair control drift and reset a control to its intended configuration. The `ResetEnabledControl` API works with optional AWS Control Tower controls, including **Strongly recommended** and **Elective** controls.

**Control exceptions**
+ Controls that are implemented with service control policies (SCPs) cannot be reset with this API. For more information, see [https://docs.aws.amazon.com//controltower/latest/APIReference/API_ResetEnabledControl.html](https://docs.aws.amazon.com//controltower/latest/APIReference/API_ResetEnabledControl.html). 
+ Mandatory controls cannot be reset, because they protect AWS Control Tower resources. 
+ The **Region deny** control for the landing zone must be reset through the console.

Control drift occurs when an AWS Control Tower control is modified outside AWS Control Tower, for example from the AWS Organizations console. Resolving drift helps to ensure your compliance with governance requirements.

## Control catalog updates `GetControl` API
<a name="getcontrol-api-update"></a>

 **November 8, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports an updated `GetControl` API that includes two new fields: `Implementation` types for all controls, and `Parameters` for certain controls that can be configured.

The `GetControl` API is part of the `controlcatalog` namespace of AWS Control Tower.

For more information, see the [`GetControl` API](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html) in the *Control Catalog API Reference*.

**This release includes related changes that are shown in the AWS Control Tower console.**
+ All existing AWS Security Hub CSPM controls have their `Implementation` parameter value changed from AWS Config rule to AWS Security Hub CSPM. The corresponding console help panel is modified to reflect this change.
+ All existing Hook controls have their `Implementation` parameter value changed from CloudFormation guard rule to CloudFormation hook. The corresponding console help panel is modified to reflect this change.

## AWS Control Tower AFT supports GitLab
<a name="aft-gitlab-support"></a>

 **October 23, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports GitLabTM and GitLab Self-managed as options for a third-party version control system (VCS) and configuration source for Account Factory for Terraform (AFT).

## AWS Control Tower available in AWS Asia Pacific (Malaysia) Region
<a name="kul-region"></a>

 **October 21, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in the AWS Asia Pacific (Malaysia) Region.

For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower supports up to 1000 accounts per OU
<a name="1000-accounts"></a>

 **August 30, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has increased the maximum number of accounts allowed per organizational unit (OU) from 300 to 1000. Now, you can enroll up to 1000 AWS accounts into AWS Control Tower governance at once, without changing your OU structure. The OU registration and re-registration processes also are more efficient, requiring significantly less time to deploy AWS Control Tower baseline resources into your accounts.

Some account limitations still apply due to the limitations on the number of CloudFormation stack sets available. Specifically, the maximum number of accounts you can enroll in an OU may differ, depending on the number of Regions you have under governance. To learn more, visit [Limitations based on underlying AWS services](https://docs.aws.amazon.com//controltower/latest/userguide/region-stackset-limitations.html) in the [https://docs.aws.amazon.com//controltower/latest/userguide/what-is-control-tower.html](https://docs.aws.amazon.com//controltower/latest/userguide/what-is-control-tower.html). For a full list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds landing zone version selection
<a name="lz-version-select"></a>

 **August 15, 2024**

(No update required for AWS Control Tower landing zone.)

If you are running AWS Control Tower landing zone version 3.1 and above, you can update or repair your landing zone in place on the current version, or you can upgrade to a version of your choice. Previously, any landing zone update or repair required an upgrade to the latest landing zone version. 

With landing zone version selection, you have more flexibility to plan for version upgrades while you evaluate potential changes to your environment. You need not choose between repairing drift to stay in compliance, updating your landing zone configurations, or upgrading to the latest landing zone version. If you are running landing zone version 3.1 or above, you can choose to stay on the current version, or upgrade to a newer version, when you update or reset your landing zone configurations. 

## Descriptive control API available, expanded access to Regions and controls
<a name="get-and-list-controls"></a>

 **August 6, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower added two new API operations that help you find more information about available controls, programmatically. This functionality makes it easier to deploy controls with automation.
+ The [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html) API returns details about an enabled control, including the target identifier, a control information summary, a list of target Regions, and the drift status.
+ The [https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) API returns a paginated list of all available controls in the AWS Control Tower library of controls.

These APIs are reached through the [AWS Control Catalog namespace](https://docs.aws.amazon.com//controlcatalog/latest/userguide/what-is-controlcatalog.html). The AWS Control Catalog is a part of AWS Control Tower, which includes controls that help you manage other AWS services, not just AWS Control Tower. This expanded catalog consolidates controls from several AWS services, so that you can view AWS controls according to some common use cases, such as: security, cost, durability, and operations. For more information, see [the Control Catalog API Reference](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/Welcome.html).

**Expanded Region availability**

Beginning with this release, you can extend AWS Control Tower governance into AWS Regions where some of your (already) enabled controls are not available. Also, you can now enable certain controls in more Regions, even though the control is not supported in all of your governed Regions.

Previously, AWS Control Tower prevented you from extending governance into Regions or enabling controls, when it did not offer consistency across all of your enabled controls and governed Regions. With this release, you have more flexibility, as well as more responsibility to ensure that your configuration is correct for all enabled controls and all governed Regions. The [AWS Control Tower control APIs](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html) and the [control catalog APIs](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/Welcome.html) can help you get information about the AWS Regions in which you are protected by enabled controls, and the Regions in which additional controls may be deployed. Region and control information also is available in the AWS Control Tower console.

## AWS Control Tower supports AFT and CfCT in opt-in Regions
<a name="aft-cfct-regions"></a>

 **July 18, 2024**

(No update required for AWS Control Tower landing zone.)

Today, AWS Control Tower customization frameworks Account Factory for Terraform (AFT) and Customizations for AWS Control Tower (CfCT) are available in five additional AWS Regions: Asia Pacific (Hyderabad, Jakarta and Osaka), Israel (Tel Aviv), and Middle East (UAE).

Account Factory for Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower. Customizations for AWS Control Tower (CfCT) helps you customize your AWS Control Tower landing zone and accounts with CloudFormation templates and service control policies (SCPs).

To learn more, visit the Account Factory for Terraform and Customizations for AWS Control Tower pages; in the AWS Control Tower User Guide. You also may wish to review the release notes on the AFT Github page and the CfCT Github page. AFT and CfCT are supported in all AWS Regions, with some exceptions. For specifics, see [Region limitations](https://docs.aws.amazon.com//controltower/latest/userguide/limits.html).

## AWS Control Tower adds the `ListLandingZoneOperations` API
<a name="lz-operations-api"></a>

 **June 26, 2024**

(No update required for AWS Control Tower landing zone.)

 AWS Control Tower has added an API that allows you to retrieve a list of operations recently applied to your landing zone, and operations currently in progress. The API can return the history of landing zone operations and their identifiers for up to 90 days. For usage examples, see [View the status of your landing zone operations](https://docs.aws.amazon.com//controltower/latest/userguide/lz-api-examples-short.html).

For more information about the `ListLandingZoneOperations` API, see [https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListLandingZoneOperations.html](https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListLandingZoneOperations.html) in the *AWS Control Tower API Reference*.

## AWS Control Tower supports up to 100 concurrent control operations
<a name="multiple-controls"></a>

 **May 20, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports multiple control operations with higher concurrency. You can submit up to 100 AWS Control Tower control operations, across multiple organizational units (OUs), at the same time, from the console or with APIs. Up to ten (10) operations can run simultaneously, and the additional ones are queued. In this way, you can set up a more standardized configuration across multiple AWS accounts, without the operational burden of repetitive control operations.

To monitor the status of your ongoing and queued control operations, you can navigate to the new **Recent operations** page in the AWS Control Tower console, or you can call the new [https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListControlOperations.html](https://docs.aws.amazon.com//controltower/latest/APIReference/API_ListControlOperations.html) API.

The AWS Control Tower library contains more than 500 controls, which map to different control objectives, frameworks, and services. For a specific control objective, such as **Encrypt data at rest**, you can enable multiple controls with a single control operation, to help you achieve the objective. This capability facilitates accelerated development, allows faster adoption of best practice controls, and mitigates operational complexities.

## AWS Control Tower available in AWS Canada West (Calgary)
<a name="yyc-available"></a>

**May 3, 2024**

(No update required for AWS Control Tower landing zone.)

Starting today, you can activate AWS Control Tower in the Canada West (Calgary) Region. If you already have deployed AWS Control Tower and you want to extend its governance features to this Region, you can do so with the AWS Control Tower [landing zone APIs](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html). Or from the console, go to the **Settings** page in your AWS Control Tower dashboard, select your Regions, and then update your landing zone.

The Canada West (Calgary) Region does not support AWS Service Catalog. For this reason, some functionality of AWS Control Tower is different. The most notable functionality change is that Account Factory is not available. If you choose Canada West (Calgary) as your home Region, the procedures for updating accounts, setting up account automations, and any other processes that involve Service Catalog are different than in other Regions.

**Provisioning accounts**

To create and provision a new account in the Canada West (Calgary) Region, we recommend that you create an account outside of AWS Control Tower, and then enroll it into a registered OU. For more information, see [Enroll an existing account](https://docs.aws.amazon.com//controltower/latest/userguide/quick-account-provisioning.html) and [Steps to enroll an account](https://docs.aws.amazon.com//controltower/latest/userguide/quick-account-provisioning.html#enrollment-steps).

The Service Catalog APIs are not available in Canada West (Calgary) Region. The example script shown in [Automate account provisioning in AWS Control Tower by Service Catalog APIs ](https://docs.aws.amazon.com//controltower/latest/userguide/automated-provisioning-walkthrough.html) is not workable.

Account Factory Customizations (AFC), Account Factory for Terraform (AFT), and Customizations for AWS Control Tower (CfCT) are not available in Canada West (Calgary), due to lack of other underlying dependencies for AWS Control Tower. If you extend governance to Canada West (Calgary) Region, you can continue to manage AFC blueprints in all Regions that AWS Control Tower supports, as long as Service Catalog is available in your home Region.

**Controls**

Proactive controls and controls for the **AWS Security Hub CSPM Service-Managed Standard: AWS Control Tower** are not available in Canada West (Calgary) Region. The preventive control `CT.CLOUDFORMATION.PR.1` is not available in Canada West (Calgary) because it is required only for activating the hook-based, proactive controls. Certain detective controls based on AWS Config are not available. For details, see [Control limitations](control-limitations.md).

**Identity provider**

IAM Identity Center is not available in Canada West (Calgary). The best practice recommendation is to set up your landing zone in a Region where IAM Identity Center is available. Alternatively, you have the option to self-manage your account access configuration if you use an external identity provider in Canada West (Calgary).

The unavailability of Service Catalog in Canada West (Calgary) Region has no effect on other Regions that are supported by AWS Control Tower. These differences apply only if your home Region is Canada West (Calgary).

For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table]( https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower supports self-service quota adjustments
<a name="service-quotas"></a>

**April 25, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports self-service quota adjustments through the Service Quotas console. For more information, see [Request a quota increase](request-an-increase.md).

## AWS Control Tower releases the *Controls Reference Guide*
<a name="controls-reference-guide"></a>

**April 21, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower released the *Controls Reference Guide*, a new document where you can find detailed information about the controls that are specific to the AWS Control Tower environment. Previously, this material was included in the *AWS Control Tower User Guide*. The *Controls Reference Guide* covers controls in an expanded format. For more information, see the [AWS Control Tower Controls Reference Guide](https://docs.aws.amazon.com//controltower/latest/controlreference/introduction.html).

## AWS Control Tower updates and renames two proactive controls
<a name="update-2-proactive-controls"></a>

**March 26, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has renamed two proactive controls to align with updates to Amazon OpenSearch Service.
+ [**[CT.OPENSEARCH.PR.8]** Require an Elasticsearch Service domain to use TLSv1.2](https://docs.aws.amazon.com//controltower/latest/controlreference/opensearch-rules.html#ct-opensearch-pr-8-description)
+ [**[CT.OPENSEARCH.PR.16 ]** Require an Amazon OpenSearch Service domain to use TLSv1.2](https://docs.aws.amazon.com//controltower/latest/controlreference/opensearch-rules.html#ct-opensearch-pr-16-description)

We updated the control names and the artifacts for these two controls to align with the recent release from the Amazon OpenSearch Service, which [now supports Transport Layer Security (TLS) version 1.3](https://aws.amazon.com/about-aws/whats-new/2024/01/amazon-opensearch-service-tls-1-3-perfect-forward-secrecy) among its transport security options for domain endpoint security.

To add support for TLSv1.3 for these controls, we have updated the artifact and name of the controls to reflect the intent of the control. They now evaluate the minimum TLS version of the service domain. To make this update in your environment, you must **Disable** and **Enable** the controls to deploy the latest artifact.

No other proactive controls are affected by this change. We recommend that you review these controls, to ensure that they meet your control objectives.

For questions or concerns, contact [AWS Support](http://aws.amazon.com/support).

## Deprecated controls no longer available
<a name="deprecated-controls"></a>

**March 12, 2024**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has deprecated some controls. These controls are no longer available.
+ CT.ATHENA.PR.1
+ CT.CODEBUILD.PR.4
+ CT.AUTOSCALING.PR.3
+ SH.Athena.1
+ SH.Codebuild.5
+ SH.AutoScaling.4
+ SH.SNS.1
+ SH.SNS.2

## AWS Control Tower supports tagging `EnabledControl` resources in CloudFormation
<a name="cfn-tagging"></a>

**February 22, 2024**

(No update required for AWS Control Tower landing zone.)

This AWS Control Tower release updates the behavior of the `EnabledControl` resource, to align better with configurable controls, and to improve the ability to manage your AWS Control Tower environment with automation. With this release, you can add tags to configurable `EnabledControl` resources by means of CloudFormation templates. Previously, you could add tags through the AWS Control Tower console and APIs only.

The AWS Control Tower `GetEnabledControl`, `EnableControl`, and `ListTagsforResource` API operations are updated with this release, because they rely on the `EnabledControl` resource functionality.

For more information, see [Tagging `EnabledControl` resources in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/tagging.html) and [https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-resource-controltower-enabledcontrol.html](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-resource-controltower-enabledcontrol.html) in the *CloudFormation User Guide*.

## AWS Control Tower supports APIs for OU registration and configuration with baselines
<a name="baseline-apis"></a>

**February 14, 2024**

(No update required for AWS Control Tower landing zone.)

These APIs support programmatic OU registration with the `EnableBaseline` call. When you enable a baseline on an OU, member accounts within the OU are enrolled into AWS Control Tower governance. Certain caveats may apply. For example, OU registration through the AWS Control Tower console enables optional controls as well as mandatory controls. When calling APIs, you may need to complete an extra step so that optional controls are enabled.

An AWS Control Tower *baseline* embodies best practices for AWS Control Tower governance of an OU and member accounts. For example, when you enable a baseline on an OU, member accounts within the OU receive a defined group of resources, including AWS CloudTrail, AWS Config, IAM Identity Center, and required AWS IAM roles.

Specific baselines are compatible with specific AWS Control Tower landing zone versions. AWS Control Tower can apply the latest compatible baseline to your landing zone, when you change your landing zone settings. For more information, see [Compatibility of OU baselines and landing zone versions](table-of-baselines.md).

**This release includes four essential [Types of baselines](types-of-baselines.md)**
+ `AWSControlTowerBaseline`
+ `AuditBaseline`
+ `LogArchiveBaseline`
+ `IdentityCenterBaseline`

With the new APIs and defined baselines, you can register OUs and automate your OU provisioning workflow. The APIs also can manage OUs that are already under AWS Control Tower governance, so you can re-register OUs after landing zone updates. The APIs include support for an CloudFormation `EnabledBaseline` resource, which allows you to manage your OUs with infrastructure as code (IaC).

**Baseline APIs**
+ **EnableBaseline**, **UpdateEnabledBaseline**, **DisableBaseline**: Take action on a baseline for an OU.
+ **GetEnabledBaseline**, **ListEnabledBaselines**: Discover configurations for your enabled baselines.
+ **GetBaselineOperation**: View the status of a particular baseline operation.
+ **ResetEnabledBaseline**: Remediate resource drift on an OU with an enabled baseline (including nested OUs and mandatory control drift). Also remediates drift for the landing-zone-level Region deny control
+ **GetBaseline**, **ListBaselines**: Discover content of AWS Control Tower baselines.

To learn more about these APIs, review [Baselines](https://docs.aws.amazon.com//controltower/latest/userguide/table-of-baselines.html) in the AWS Control Tower User Guide, and the [API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html). The new APIs are available in AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table. 

# January - December 2023
<a name="2023-all"></a>

In 2023, AWS Control Tower released the following updates:
+ [Transition to new AWS Service Catalog External product type (phase 3)](#phase-3-tos-external)
+ [AWS Control Tower landing zone version 3.3](#lz-3-3)
+ [Transition to new AWS Service Catalog External product type (phase 2)](#phase-2-tos-external)
+ [AWS Control Tower announces controls to assist digital sovereignty](#digital-sovereignty)
+ [AWS Control Tower landing zone APIs](#landing-zone-apis)
+ [AWS Control Tower control tagging APIs](#control-tagging-apis)
+ [AWS Control Tower available in AWS Asia Pacific (Melbourne)](#mel-region)
+ [Transition to new AWS Service Catalog External product type (phase 1)](#transition-sc-tos-external)
+ [AWS Control Tower adds new control API](#new-control-api)
+ [AWS Control Tower adds new controls](#q3-new-controls)
+ [AWS Control Tower detects trusted access drift](#trust-access-drift)
+ [AWS Control Tower available in four additional AWS Regions](#four-regions)
+ [AWS Control Tower available in AWS Israel (Tel Aviv)](#new-tlv-region)
+ [AWS Control Tower adds 28 new proactive controls](#28-proactive-controls)
+ [AWS Control Tower deprecates two controls](#deprecate-2controls)
+ [AWS Control Tower landing zone version 3.2](#lz-3-2)
+ [AWS Control Tower adds email-to-ID mapping for IAM Identity Center](#email-to-id)
+ [AWS Control Tower adds more AWS Security Hub CSPM controls](#more-sh-controls)
+ [AWS Control Tower publishes metadata for AWS Security Hub CSPM controls](#publish-metadata)
+ [AWS Control Tower adds Account Factory Customization (AFC) for Terraform](#afc-terraform)
+ [AWS Control Tower adds self-managed IAM identity center](#iam-self-manage)
+ [AWS Control Tower adds mixed governance note](#mixed-governance-note)
+ [AWS Control Tower adds new proactive controls](#new-proactive-controls)
+ [AWS Control Tower updates Amazon EC2 controls](#updated-ec2-controls)
+  [AWS Control Tower available in seven additional AWS Regions](#seven-regions)
+ [AWS Control Tower Account Factory Customization (AFC) and request tracing generally available](#account-customization-request-tracing-ga)
+ [AWS Control Tower landing zone version 3.1](#lz-3-1)
+ [AWS Control Tower proactive controls generally available](#proactive-control-ga)

## Transition to new AWS Service Catalog External product type (phase 3)
<a name="phase-3-tos-external"></a>

**December 14, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower no longer supports *Terraform Open Source* as a product type (blueprint) when creating new AWS accounts. For more information and for instructions about updating your account blueprints, review [ Transition to the AWS Service Catalog External product type](https://docs.aws.amazon.com//controltower/latest/userguide/service-catalog.html). 

If you do not update your account blueprints to use the *External* product type, you can only update or terminate accounts that you provisioned using Terraform Open Source blueprints. 

## AWS Control Tower landing zone version 3.3
<a name="lz-3-3"></a>

**December 14, 2023**

(Update required for AWS Control Tower landing zone to version 3.3. For information, see [Update your landing zone](update-controltower.md)).

**Updates to S3 bucket policy in the AWS Control Tower Audit account**

We have modified the Amazon S3 Audit bucket policy that AWS Control Tower deploys in accounts, so that an `aws:SourceOrgID` condition must be met for any write permissions. With this release, AWS services have access to your resources only when the request originates from your organization or organizational unit (OU). 

You can use the `aws:SourceOrgID` condition key and set the value to your **organization ID** in the condition element of your S3 bucket policy. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket.

We made this change to remediate a potential security vulnerability, without affecting the functionality of your existing workloads. To view the updated policy, see [Amazon S3 bucket policy in the audit account](logging-s3-audit-bucket.md).

For more information about the new condition key, see the IAM documentation and the IAM blog post entitled "*Use scalable controls for AWS services accessing your resources*." 

**Updates to the policy in the AWS Config SNS topic**

We added the new `aws:SourceOrgID` condition key to the policy for the AWS Config SNS topic.To view the updated policy, see [The AWS Config SNS topic policy](https://docs.aws.amazon.com//controltower/latest/userguide/receive-notifications.html#config-sns-policy).

**Updates to the landing zone Region Deny control**
+ Removed `discovery-marketplace:`. This action is covered by the `aws-marketplace:*` exemption.
+ Added `quicksight:DescribeAccountSubscription`

**Updated CloudFormation template**

We updated the CloudFormation template for the stack named `BASELINE-CLOUDTRAIL-MASTER` so that is does not show drift when AWS KMS encryption is not used.

## Transition to new AWS Service Catalog External product type (phase 2)
<a name="phase-2-tos-external"></a>

**December 7, 2023**

(No update required for AWS Control Tower landing zone.)

HashiCorp updated their Terraform licensing. As a result, AWS Service Catalog changed support for *Terraform Open Source* products and provisioned products to a new product type, called *External*. 

To avoid disruption to existing workloads and AWS resources in your accounts, follow the AWS Control Tower transition steps in [Transition to the AWS Service Catalog External product type](af-customization-page.md#service-catalog-external-product-type) by December 14, 2023. 

## AWS Control Tower announces controls to assist digital sovereignty
<a name="digital-sovereignty"></a>

**November 27, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower announces 65 new AWS-managed controls, to help you meet your digital sovereignty requirements. With this release, you can discover these controls under a new *digital sovereignty group* in the AWS Control Tower console. You can use these controls to help prevent actions and detect resource changes regarding *data residency*, *granular access restriction*, *encryption*, and *resiliency* capabilities. These controls are designed to make it simpler for you to address requirements at scale. For more information about digital sovereignty controls, see [Controls that enhance digital sovereignty protection](https://docs.aws.amazon.com//controltower/latest/controlreference/digital-sovereignty-controls.html).

For example, you can choose to enable controls that help enforce your encryption and resiliency strategies, such as **Require an AWS AppSync API cache to have encryption in transit enabled** or **Require an AWS Network Firewall to be deployed across multiple Availability Zones**. You can also customize the AWS Control Tower Region deny control to apply regional restrictions that best fit your unique business needs.

This release brings well-enhanced AWS Control Tower Region deny capabilities. You can apply a new, parameterized Region deny control at the OU level, for increased granularity of governance, while maintaining additional Region governance at the landing zone level. This customizable Region deny control helps you to apply regional restrictions that best fit your unique business needs. For more information about the new, configurable Region deny control, see [Region deny control applied to the OU](https://docs.aws.amazon.com//controltower/latest/controlreference/ou-region-deny.html).

As a new tool to the new Region deny enhancement, this release includes a new API, `UpdateEnabledControl`, which allows you to reset your enabled controls to the default settings. This API is especially helpful in use cases where you need to resolve drift quickly, or to guarantee programmatically that a control is not in a state of drift. For more information about the new API, see [the AWS Control Tower API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html)

**New proactive controls**
+ CT.APIGATEWAY.PR.6: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2
+ CT.APPSYNC.PR.2: Require an AWS AppSync GraphQL API to be configured with private visibility 
+ CT.APPSYNC.PR.3: Require that an AWS AppSync GraphQL API is not authenticated with API keys
+ CT.APPSYNC.PR.4: Require an AWS AppSync GraphQL API cache to have encryption in transit enabled.
+ CT.APPSYNC.PR.5: Require an AWS AppSync GraphQL API cache to have encryption at rest enabled.
+ CT.AUTOSCALING.PR.9: Require an Amazon EBS volume configured through an Amazon EC2 Auto Scaling launch configuration to encrypt data at rest
+ CT.AUTOSCALING.PR.10: Require an Amazon EC2 Auto Scaling group to use only AWS Nitro instance types when overriding a launch template
+ CT.AUTOSCALING.PR.11: Require only AWS Nitro instance types that support network traffic encryption between instances to be added to an Amazon EC2 Auto Scaling group, when overriding a launch template
+ CT.DAX.PR.3: Require an DynamoDB Accelerator cluster to encrypt data in transit with Transport Layer Security (TLS)
+ CT.DMS.PR.2: Require an AWS Database Migration Service (DMS) Endpoint to encrypt connections for source and target endpoints
+ CT.EC2.PR.15: Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the `AWS::EC2::LaunchTemplate` resource type
+ CT.EC2.PR.16: Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the `AWS::EC2::Instance` resource type
+ CT.EC2.PR.17: Require an Amazon EC2 dedicated host to use an AWS Nitro instance type
+ CT.EC2.PR.18: Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types
+ CT.EC2.PR.19: Require an Amazon EC2 instance to use a nitro instance type that supports encryption in-transit between instances when created using the `AWS::EC2::Instance` resource type
+ CT.EC2.PR.20: Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types that support encryption in transit between instances
+ CT.ELASTICACHE.PR.8: Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activated
+ CT.MQ.PR.1: Require an Amazon MQ ActiveMQ broker to use use active/standby deployment mode for high availability
+ CT.MQ.PR.2: Require an Amazon MQ Rabbit MQ broker to use Multi-AZ cluster mode for high availability
+ CT.MSK.PR.1: Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to enforce encryption in transit between cluster broker nodes
+ CT.MSK.PR.2: Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to be configured with PublicAccess disabled
+ CT.NETWORK-FIREWALL.PR.5: Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones
+ CT.RDS.PR.26: Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections
+ CT.RDS.PR.27: Require an Amazon RDS DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types
+ CT.RDS.PR.28: Require an Amazon RDS DB parameter group to require Transport Layer Security (TLS) connections for supported engine types
+ CT.RDS.PR.29: Require an Amazon RDS cluster not be configured to be publicly accessible by means of the 'PubliclyAccessible' property
+ CT.RDS.PR.30: Require that an Amazon RDS database instance has encryption at rest configured to use a KMS key that you specify for supported engine types
+ CT.S3.PR.12: Require an Amazon S3 access point to have a Block Public Access (BPA) configuration with all options set to true

**New preventive controls**
+ CT.APPSYNC.PV.1 Require that an AWS AppSync GraphQL API is configured with private visibility 
+ CT.EC2.PV.1 Require an Amazon EBS snapshot to be created from an encrypted EC2 volume
+ CT.EC2.PV.2 Require that an attached Amazon EBS volume is configured to encrypt data at rest
+ CT.EC2.PV.3 Require that an Amazon EBS snapshot cannot be publicly restorable
+ CT.EC2.PV.4 Require that Amazon EBS direct APIs are not called
+ CT.EC2.PV.5 Disallow the use of Amazon EC2 VM import and export
+ CT.EC2.PV.6 Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions
+ CT.KMS.PV.1 Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services 
+ CT.KMS.PV.2 Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits
+ CT.KMS.PV.3 Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled 
+ CT.KMS.PV.4 Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM
+ CT.KMS.PV.5 Require that an AWS KMS customer-managed key (CMK) is configured with imported key material 
+ CT.KMS.PV.6 Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS)
+ CT.LAMBDA.PV.1 Require an AWS Lambda function URL to use AWS IAM-based authentication 
+ CT.LAMBDA.PV.2 Require an AWS Lambda function URL to be configured for access only by principals within your AWS account

## AWS Control Tower landing zone APIs
<a name="landing-zone-apis"></a>

**November 26, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now offers APIs that help you manage your landing zone programmatically. These APIs allow you to create, update, and reset your landing zone, as well as retrieve information about your landing zone configuration and operations. For more information, see [Landing zone API examples](https://docs.aws.amazon.com//controltower/latest/userguide/lz-api-examples-short.html).

The landing zone APIs are available in all AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower control tagging APIs
<a name="control-tagging-apis"></a>

**November 10, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now offers APIs that help you tag your enabled controls programmatically. These APIs allow you to add, remove, and list tags for your enabled controls. For more information, see [Tagging AWS Control Tower resources](https://docs.aws.amazon.com//controltower/latest/userguide/tagging-resources.html).

The control tagging APIs are available in all AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower available in AWS Asia Pacific (Melbourne)
<a name="mel-region"></a>

**November 3, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in the Asia Pacific (Melbourne). For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## Transition to new AWS Service Catalog External product type (phase 1)
<a name="transition-sc-tos-external"></a>

**October 31, 2023**

(No update required for AWS Control Tower landing zone.)

HashiCorp updated their Terraform licensing. As a result, AWS Service Catalog changed support for *Terraform Open Source* products and provisioned products to a new product type, called *External*. 

To avoid disruption to existing workloads and AWS resources in your accounts, follow the AWS Control Tower transition steps in [Transition to the AWS Service Catalog External product type](af-customization-page.md#service-catalog-external-product-type) by December 14, 2023. 

## AWS Control Tower adds new control API
<a name="new-control-api"></a>

**October 27, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now offers a new API, `UpdateEnabledControl`, which allows you to update your enabled controls. This API is especially helpful in use cases where you need to resolve drift quickly, or to guarantee programmatically that a control is not in a state of drift. For more information about the new API, see [the AWS Control Tower API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html).

The `UpdateEnabledControl` API is available in all AWS Regions where AWS Control Tower is available, except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds new controls
<a name="q3-new-controls"></a>

**October 20, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added 22 new controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower detects trusted access drift
<a name="trust-access-drift"></a>

**October 13, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now detects and reports drift for trusted access settings. Trusted access settings allow AWS Control Tower to interact with other AWS services on your behalf. If these settings are changed outside of AWS Control Tower, AWS Control Tower will detect the drift and report it in the AWS Control Tower console. For more information about trusted access drift, see [Types of governance drift](https://docs.aws.amazon.com//controltower/latest/userguide/governance-drift.html).

Trusted access drift detection is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower available in four additional AWS Regions
<a name="four-regions"></a>

**September 29, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in four additional AWS Regions: Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Europe (Spain), and Europe (Zurich). For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower available in AWS Israel (Tel Aviv)
<a name="new-tlv-region"></a>

**August 1, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in the Israel (Tel Aviv). For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds 28 new proactive controls
<a name="28-proactive-controls"></a>

**July 27, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added 28 new proactive controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower deprecates two controls
<a name="deprecate-2controls"></a>

**July 27, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has deprecated two controls: CT.CLOUDFORMATION.PR.2 and CT.CLOUDFORMATION.PR.3. These controls are no longer available in the AWS Control Tower library of controls. For more information about the deprecated controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).

The deprecated controls are no longer available in any AWS Region.

## AWS Control Tower landing zone version 3.2
<a name="lz-3-2"></a>

**June 16, 2023**

(Update required for AWS Control Tower landing zone to version 3.2. For information, see [Update your landing zone](update-controltower.md)).

AWS Control Tower landing zone version 3.2 brings the controls that are part of the AWS Security Hub CSPM **Service-Managed Standard: AWS Control Tower** to general availability. It introduces the ability to view the drift status of controls that are part of this standard in the AWS Control Tower console.

This update includes a new service-linked role (SLR), called the **AWSServiceRoleForAWSControlTower**. This role assists AWS Control Tower by creating an EventBridge Managed Rule, called the **AWSControlTowerManagedRule** in each member account. This managed rule collects AWS Security Hub CSPM **Finding** events, from with AWS Control Tower can determine control drift.

This rule is the first managed rule to be created by AWS Control Tower. The rule is not deployed by a stack; it is deployed directly from the EventBridge APIs. You can view the rule in the EventBridge console, or by means of the EventBridge APIs. If the `managed-by` field is populated, it will show the AWS Control Tower service principal.

Previously, AWS Control Tower assumed the **AWSControlTowerExecution** role to perform operations in member accounts. This new role and rule are better aligned with the best practices principle of allowing least privilege when performing operations in a multi-account AWS environment. The new role provides scoped-down permissions that specifically allow: creating the managed rule in member accounts, maintaining the managed rule, publishing security notifications through SNS, and verifying drift. For more information, see [AWSServiceRoleForAWSControlTower](access-control-managing-permissions.md#AWSServiceRoleForAWSControlTower).

The landing zone 3.2 update also includes a new StackSet resource in the management account, `BP_BASELINE_SERVICE_LINKED_ROLE`, which initially deploys the service-linked role.

When reporting Security Hub CSPM control drift (in landing zone 3.2 and later), AWS Control Tower receives a daily status update from Security Hub CSPM. Although controls are active in every governed Region, AWS Control Tower sends the AWS Security Hub CSPM **Finding** events to the AWS Control Tower home Region only. For more information, see [Security Hub control drift reporting](https://docs.aws.amazon.com//controltower/latest/controlreference/security-hub-controls.html#sh-drift).

**Update to the Region Deny control**

This landing zone version also includes an update to the Region Deny control.

**Global services and APIs added**
+ AWS Billing and Cost Management (`billing:*`)
+ AWS CloudTrail (`cloudtrail:LookupEvents`) to allow visibility of global events in member accounts.
+ AWS Consolidated Billing (`consolidatedbilling:*`)
+ AWS Management Console Mobile Application (`consoleapp:*`)
+ AWS Free Tier (`freetier:*`)
+ AWS Invoicing (`invoicing:*`)
+ AWS IQ (`iq:*`)
+ AWS User Notifications (`notifications:*`)
+ AWS User Notifications Contacts (`notifications-contacts:*`)
+ Amazon Payments (`payments:*`)
+ AWS Tax Settings (`tax:*`)

**Global services and APIs removed**
+ Removed `s3:GetAccountPublic` because it is not a valid action.
+ Removed `s3:PutAccountPublic` because it is not a valid action.

## AWS Control Tower adds email-to-ID mapping for IAM Identity Center
<a name="email-to-id"></a>

**July 13, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports email-to-ID mapping for IAM Identity Center. This feature allows you to map email addresses to IAM Identity Center user IDs, which makes it easier to manage user access to your AWS Control Tower environment. For more information about email-to-ID mapping, see [Integration with IAM Identity Center](https://docs.aws.amazon.com//controltower/latest/userguide/sso-integration.html).

Email-to-ID mapping is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds more AWS Security Hub CSPM controls
<a name="more-sh-controls"></a>

**June 29, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added more AWS Security Hub CSPM controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower publishes metadata for AWS Security Hub CSPM controls
<a name="publish-metadata"></a>

**June 22, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now publishes metadata for AWS Security Hub CSPM controls. This metadata includes information about the control, such as the control ID, control title, and control description. For more information about the metadata, see [Control metadata](https://docs.aws.amazon.com//controltower/latest/userguide/control-metadata.html).

Control metadata is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds Account Factory Customization (AFC) for Terraform
<a name="afc-terraform"></a>

**June 15, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports Account Factory Customization (AFC) for Terraform. This feature allows you to use Terraform to customize your AWS Control Tower accounts. For more information about AFC for Terraform, see [Account Factory Customization for Terraform](https://docs.aws.amazon.com//controltower/latest/userguide/afc-terraform.html).

AFC for Terraform is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds self-managed IAM identity center
<a name="iam-self-manage"></a>

**June 8, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports self-managed IAM identity center. This feature allows you to use your own identity provider with AWS Control Tower. For more information about self-managed IAM identity center, see [IAM identity center](https://docs.aws.amazon.com//controltower/latest/userguide/iam-identity-center.html).

Self-managed IAM identity center is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds mixed governance note
<a name="mixed-governance-note"></a>

**June 1, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now includes a note about mixed governance. This note explains how AWS Control Tower works with other AWS services to provide governance for your AWS resources. For more information about mixed governance, see [Mixed governance](https://docs.aws.amazon.com//controltower/latest/userguide/mixed-governance.html).

The mixed governance note is available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower adds new proactive controls
<a name="new-proactive-controls"></a>

**May 25, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has added new proactive controls to the AWS Control Tower library of controls. These controls help you enforce best practices for your AWS resources. For more information about the new controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).

The new controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower updates Amazon EC2 controls
<a name="updated-ec2-controls"></a>

**May 18, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower has updated the Amazon EC2 controls in the AWS Control Tower library of controls. These updates improve the security and reliability of your AWS Control Tower environment. For more information about the updated controls, see [Control categories](https://docs.aws.amazon.com//controltower/latest/userguide/control-categories.html).

The updated controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower available in seven additional AWS Regions
<a name="seven-regions"></a>

**May 11, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower is available in seven additional AWS Regions: Asia Pacific (Osaka), Canada (Central), Europe (Milan), Europe (Stockholm), Middle East (Bahrain), Middle East (UAE), and South America (São Paulo). For a full list of Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower Account Factory Customization (AFC) and request tracing generally available
<a name="account-customization-request-tracing-ga"></a>

**April 27, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower Account Factory Customization (AFC) and request tracing are now generally available. AFC allows you to customize your AWS Control Tower accounts, and request tracing allows you to track the status of your AWS Control Tower requests. For more information about AFC and request tracing, see [Account Factory Customization](https://docs.aws.amazon.com//controltower/latest/userguide/account-factory-customization.html) and [Request tracing](https://docs.aws.amazon.com//controltower/latest/userguide/request-tracing.html).

AFC and request tracing are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

## AWS Control Tower landing zone version 3.1
<a name="lz-3-1"></a>

February 9, 2023

(Update required for AWS Control Tower landing zone to version 3.1. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower landing zone version 3.1 includes the following updates:
+ With this release, AWS Control Tower deactivates unnecessary access logging for your *access logging bucket*, which is the Amazon S3 bucket where access logs are stored in the Log Archive account, while continuing to enable server access logging for S3 buckets. This release also includes updates to the Region Deny control that allow additional actions for global services, such as Support Plans and AWS Artifact. 
+ Deactivation of server access logging for the AWS Control Tower access logging bucket causes Security Hub CSPM to create a finding for the Log Archive account's *access logging bucket*, due to an AWS Security Hub CSPM rule, [[S3.9] S3 bucket server access logging should be enabled](https://docs.aws.amazon.com//securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-9). In alignment with Security Hub CSPM, we recommend that you suppress this particular finding, as stated in the Security Hub CSPM description of this rule. For additional information, see [information about suppressed findings](https://docs.aws.amazon.com//securityhub/latest/userguide/finding-workflow-status.html).
+ Access logging for the (regular) logging bucket in the Log Archive account is unchanged in version 3.1. In alignment with best practices, access events for that bucket are recorded as log entries in the *access logging bucket*. For more information about access logging, see [Logging requests using server access logging](https://docs.aws.amazon.com//AmazonS3/latest/userguide/ServerLogs.html) in the Amazon S3 documentation.
+ We made an update of the Region Deny control. This update allows actions by more global services. For details of this SCP, see [Deny access to AWS based on the requested AWS Region](https://docs.aws.amazon.com//controltower/latest/controlreference/primary-region-deny-policy.html) and [Controls that enhance data residency protection](https://docs.aws.amazon.com//controltower/latest/controlreference/data-residency-controls.html).

  **Global services added:**
  + AWS Account Management (`account:*`)
  + AWS Activate (`activate:*`)
  + AWS Artifact (`artifact:*`)
  + AWS Billing Conductor (`billingconductor:*`)
  + AWS Compute Optimizer (`compute-optimizer:*`)
  + AWS Data Pipeline (`datapipeline:GetAccountLimits`)
  + AWS Device Farm(`devicefarm:*`)
  + AWS Marketplace (`discovery-marketplace:*`)
  + Amazon ECR (`ecr-public:*`)
  + AWS License Manager (`license-manager:ListReceivedLicenses`)
  + AWS Lightsail (`lightsail:Get*`)
  + AWS Resource Explorer (`resource-explorer-2:*`)
  + Amazon S3 (`s3:CreateMultiRegionAccessPoint`, `s3:GetBucketPolicyStatus`, `s3:PutMultiRegionAccessPointPolicy`)
  + AWS Savings Plans (`savingsplans:*`)
  + IAM Identity Center (`sso:*`)
  + AWS Support App (`supportapp:*`)
  + Support Plans (`supportplans:*`)
  + AWS Sustainability (`sustainability:*`)
  + AWS Resource Groups Tagging API (`tag:GetResources`)
  + AWS Marketplace Vendor Insights (`vendor-insights:ListEntitledSecurityProfiles`)

## AWS Control Tower proactive controls generally available
<a name="proactive-control-ga"></a>

**April 13, 2023**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower proactive controls are now generally available. Proactive controls help you enforce best practices for your AWS resources. For more information about proactive controls, see [Proactive controls](https://docs.aws.amazon.com//controltower/latest/userguide/proactive-controls.html).

Proactive controls are available in all AWS Regions where AWS Control Tower is available. For a list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).

# January - December 2022
<a name="2022-all"></a>

In 2022, AWS Control Tower released the following updates:
+ [Concurrent account operations](#concurrent-account-operations)
+ [Account Factory Customization (AFC)](#af-customization)
+ [Comprehensive controls assist in AWS resource provisioning and management](#proactive-controls-notes)
+ [Compliance status viewable for all AWS Config rules](#config-compliance-status)
+ [API for controls and a new CloudFormation resource](#control-control-api)
+ [CfCT supports stack set deletion](#stack-set-deletion-cfct)
+ [Customized log retention](#log-retention)
+ [Role drift repair available](#role-drift-repair)
+ [AWS Control Tower landing zone version 3.0](#version-3.0)
+ [The Organization page combines views of OUs and accounts](#ou-hierarchy-page)
+ [Simplified account creation and enrollment](#simple-create-and-enroll)
+ [AFT supports automated customization for shared AWS Control Tower accounts](#aft-supports-shared-accounts)
+ [Concurrent operations for all optional controls](#concurrent-preventive-controls)
+ [Existing security and logging accounts](#existing-security-and-logging-accounts)
+ [AWS Control Tower landing zone version 2.9](#version-2.9)
+ [AWS Control Tower landing zone version 2.8](#version-2.8)

## Concurrent account operations
<a name="concurrent-account-operations"></a>

**December 16, 2022**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports concurrent actions in account factory. You can create, update, or enroll up to five (5) accounts at a time. Submit up to five actions in succession and view the completion status of each request, while your accounts finish building in the background. For example, you no longer must wait for each process to complete before you update another account, or before you re-register an entire organizational unit (OU).

## Account Factory Customization (AFC)
<a name="af-customization"></a>

**November 28, 2022**

(No update required for AWS Control Tower landing zone.)

Account factory customization allows you to customize new and existing accounts from within the AWS Control Tower console. These new customization capabilities give you the flexibility to define account blueprints, which are CloudFormation templates contained in a specialized Service Catalog product. Blueprints provision fully customized resources and configurations. You also may choose use pre-defined blueprints, built and managed by AWS partners, that help you customize accounts for specific use cases.

Previously, AWS Control Tower account factory did not support account customization in the console. With this update of account factory, you can pre-define account requirements and implement them as part of a well-defined workflow. You can apply blueprints to create new accounts, to enroll other AWS accounts into AWS Control Tower, and to update existing AWS Control Tower accounts.

When you provision, enroll, or update an account in account factory, you will select the blueprint to deploy. Those resources specified in the blueprint are provisioned in your account. When your account has finished building, all of the custom configurations are available for use immediately.

To get started with customizing accounts, you can define the resources for your intended use case in a Service Catalog product. You also can select partner-managed solutions from the AWS Getting Started Library. For more information, see [Customize accounts with Account Factory Customization (AFC)](af-customization-page.md).

## Comprehensive controls assist in AWS resource provisioning and management
<a name="proactive-controls-notes"></a>

**November 28, 2022**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports comprehensive controls management, including new, optional proactive controls, implemented through CloudFormation hooks. These controls are referred to as proactive because they check your resources – before the resources are deployed – to determine whether the new resources will comply with the controls that are activated in your environment.

Over 130 new proactive controls assist you with meeting specific policy objectives for your AWS Control Tower environment; with meeting requirements of industry-standard compliance frameworks; and with governing AWS Control Tower interactions across more than twenty other AWS services.

The AWS Control Tower controls library classifies these controls according to the associated AWS services and resources. For more details, see [Proactive controls](https://docs.aws.amazon.com//controltower/latest/controlreference/proactive-controls.html).

With this release, AWS Control Tower also is integrated with AWS Security Hub CSPM, by means of the new Security Hub CSPM **Service-Managed Standard: AWS Control Tower**, which supports the AWS Foundational Security Best Practices (FSBP) standard. You can view over 160 Security Hub CSPM controls alongside AWS Control Tower controls in the console, and you can obtain an Security Hub CSPM security score for your AWS Control Tower environment. For more information, see [Security Hub controls](https://docs.aws.amazon.com//controltower/latest/controlreference/security-hub-controls.html).

## Compliance status viewable for all AWS Config rules
<a name="config-compliance-status"></a>

**November 18, 2022**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now displays the compliance status of all AWS Config rules deployed into organizational units registered with AWS Control Tower. You can view the compliance status of all AWS Config rules that affect your accounts in AWS Control Tower, enrolled or unenrolled, without navigating outside of the AWS Control Tower console. Customers can choose to set up Config rules, called detective controls, in AWS Control Tower, or to set them up directly through the AWS Config service. The rules deployed by AWS Config are shown, along with the rules deployed by AWS Control Tower.

Previously, AWS Config rules deployed through the AWS Config service were not visible in the AWS Control Tower console. Customers had to navigate to the AWS Config service to identify non-compliant AWS Config rules. Now you can identify any non-compliant AWS Config rule within the AWS Control Tower console. To view the compliance status of all your Config rules, navigate to the **Account details** page in the AWS Control Tower console. You will see a list showing the compliance status of controls managed by AWS Control Tower and Config rules deployed outside of AWS Control Tower.

## API for controls and a new CloudFormation resource
<a name="control-control-api"></a>

**September 1, 2022**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports programmatic management of controls, also known as *guardrails*, through a set of API calls. A new CloudFormation resource supports the API functionality for controls. For more details, see [Automate tasks in AWS Control Tower](automating-tasks.md) and [Create AWS Control Tower resources with AWS CloudFormation](creating-resources-with-cloudformation.md).

These APIs allow you to enable, disable, and view the application status of controls in the AWS Control Tower library. The APIs include support for CloudFormation, so you can manage AWS resources as infrastructure-as-code (IaC). AWS Control Tower provides optional preventive and detective controls that express your policy intentions regarding an entire organizational unit (OU), and every AWS account within the OU. These rules remain in effect as you create new accounts or make changes to existing accounts.

**APIs included in this release**
+ **EnableControl**– This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains.
+ **DisableControl**– This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. 
+ **GetControlOperation**– Returns the status of a particular **EnableControl** or **DisableControl** operation.
+ **ListEnabledControls**– Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

To view a list of control names for optional controls, see [Resource identifiers for APIs and controls](https://docs.aws.amazon.com//controltower/latest/userguide/control-identifiers.html), in the *AWS Control Tower User Guide*.

## CfCT supports stack set deletion
<a name="stack-set-deletion-cfct"></a>

**August 26, 2022**

(No update required for AWS Control Tower landing zone.)

Customizations for AWS Control Tower (CfCT) now supports stack set deletion, by setting a parameter in the `manifest.yaml` file. For more information, see [Delete a stack set](cfct-delete-stack.md).

**Important**  
When you initially set the value of `enable_stack_set_deletion` to `true`, the next time you invoke CfCT, **ALL** resources that begin with the prefix `CustomControlTower-`, which have the associated key tag `Key:AWS_Solutions, Value: CustomControlTowerStackSet`, and which are not declared in the manifest file, are staged for deletion.

## Customized log retention
<a name="log-retention"></a>

**August 15, 2022**

(Update required for AWS Control Tower landing zone. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower now provides the ability to customize the retention policy for Amazon S3 buckets that store your AWS Control Tower CloudTrail logs. You can customize your Amazon S3 log retention policy, in increments of days or years, up to a maximum of 15 years. 

If you choose not customize your log retention, the default settings are 1 year for standard account logging, and 10 years for access logging.

This feature is available for existing customers through AWS Control Tower when you update or repair your landing zone, and for new customers through the AWS Control Tower setup

## Role drift repair available
<a name="role-drift-repair"></a>

**August 11, 2022**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now supports repair for role drift. You can restore a required role without a full repair of your landing zone. If this type of drift repair is needed, the console error page provides steps for restoring the role, so that your landing zone is once again available.

## AWS Control Tower landing zone version 3.0
<a name="version-3.0"></a>

**July 29, 2022**

(Update required for AWS Control Tower landing zone to version 3.0. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower landing zone version 3.0 includes the following updates:
+ The option to choose organization-level AWS CloudTrail trails, or to opt out of CloudTrail trails managed by AWS Control Tower.
+ Two new detective controls to determine whether AWS CloudTrail is logging activity in your accounts.
+ The option to aggregate AWS Config information about global resources in your home Region only.
+ An update to the Region deny control.
+ An update to the managed policy, **AWSControlTowerServiceRolePolicy**.
+ We no longer create the IAM role `aws-controltower-CloudWatchLogsRole` and the CloudWatch log group `aws-controltower/CloudTrailLogs` in each enrolled account. Previously, we created these in each account for its account trail. With organization trails, we only create one in the management account.

The following sections provide more details about each new capability.

**Organization-level CloudTrail trails in AWS Control Tower**

 With landing zone version 3.0, AWS Control Tower now supports organization-level AWS CloudTrail trails.

When you update your AWS Control Tower landing zone to version 3.0, you have the option to select organization-level AWS CloudTrail trails as your logging preference, or to opt out of CloudTrail trails that are managed by AWS Control Tower. When you update to version 3.0, AWS Control Tower deletes * the existing account-level trails for enrolled accounts* after a 24-hour waiting period. AWS Control Tower does not delete account-level trails for unenrolled accounts. In the unlikely case that your landing zone update does not succeed, but the failure occurs after AWS Control Tower already has created the organization-level trail, you may incur duplicate charges for organization-level and account-level trails, until your update operation is able to complete successfully.

Going forward from landing zone 3.0, AWS Control Tower no longer supports account-level trails that AWS manages. Instead, AWS Control Tower creates an organization-level trail, which is active or inactive, according to your selection.

**Note**  
After you update to version 3.0 or later, you do not have the option to continue with account-level CloudTrail trails managed by AWS Control Tower.

No logging data is lost from your aggregated account logs, because the logs remain in the existing Amazon S3 bucket where they are stored. Only the trails are deleted, not the existing logs. If you select the option to add organization-level trails, AWS Control Tower opens a new path to a new folder within your Amazon S3 bucket and continues sending logging information to that location. If you choose to opt out of trails managed by AWS Control Tower, your existing logs remain in the bucket, unchanged.

**Path naming conventions for log storage**
+ Account trail logs are stored with a path of this form: `/org id/AWSLogs/… `
+ Organization trail logs are stored with a path of this form: `/org id/AWSLogs/org id/… `

 The path that AWS Control Tower creates for your organization-level CloudTrail trails is different than the default path for a manually-created organization-level trail, which would have the following form:
+  `/AWSLogs/org id/… `

For more information about CloudTrail path naming, see [Finding your CloudTrail log files](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/cloudtrail-find-log-files.html ).

**Tip**  
If you plan to create and manage your own account-level trails, we recommend that you create the new trails before you complete the update to AWS Control Tower landing zone version 3.0, to start logging right away.

At any time, you may choose to create new account-level or organization-level CloudTrail trails and manage them on your own. The option to choose organization-level CloudTrail trails managed by AWS Control Tower is available during any landing zone update to version 3.0 or later. You can opt *into* and opt *out of* organization-level trails, whenever you update your landing zone. 

If your logs are managed by a third-party service, be sure to give the new path name to your service.

**Note**  
For landing zones at version 3.0 or later, account-level AWS CloudTrail trails are not supported by AWS Control Tower. You can create and maintain your own account-level trails at any time, or you can opt into organization-level trails managed by AWS Control Tower.

**Record AWS Config resources in the home Region only**

In landing zone version 3.0, AWS Control Tower has updated the baseline configuration for AWS Config so that it records global resources in the home Region only. After you update to version 3.0, resource recording for global resources is enabled only in your home Region.

This configuration is considered a best practice. It is recommended by AWS Security Hub CSPM and AWS Config, and it creates cost savings by reducing the number of configuration items created when global resources are created, modified, or deleted. Previously, each time a global resources was created, updated, or deleted, whether by a customer or by an AWS service, a configuration item was created for each item in each governed Region.

**Two new detective controls for AWS CloudTrail logging**

As part of the change to organization-level AWS CloudTrail trails, AWS Control Tower is introducing two new detective controls that check whether CloudTrail is enabled. The first control has **Mandatory** guidance, and it is enabled on the Security OU during setup or landing zone updates of 3.0 and later. The second control has **Strongly recommended** guidance, and it is optionally applied to any OUs other than the Security OU, which already has the mandatory control protection enforced.

**Mandatory control:** [Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled](https://docs.aws.amazon.com//controltower/latest/controlreference/mandatory-controls.html#ensure-cloudtrail-enabled-mandatory)

**Strongly recommended control:** [Detect whether an account has AWS CloudTrail or CloudTrail Lake enabled](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#ensure-cloudtrail-enabled-recommended)

For more information about the new controls, see [The AWS Control Tower controls library](https://docs.aws.amazon.com//controltower/latest/controlreference/controls-reference.html).

**An update to the Region deny control**

We updated the **NotAction** list in the Region deny control to include actions by some additional services, listed below:

```
            "chatbot:*",
            "s3:GetAccountPublic",
            "s3:DeleteMultiRegionAccessPoint", 
            "s3:DescribeMultiRegionAccessPointOperation", 
            "s3:GetMultiRegionAccessPoint", 
            "s3:GetMultiRegionAccessPointPolicy", 
            "s3:GetMultiRegionAccessPointPolicyStatus",
            "s3:ListMultiRegionAccessPoints",
            "s3:GetStorageLensConfiguration", 
            "s3:GetStorageLensDashboard", 
            "s3:ListStorageLensConfigurations"
            "s3:GetAccountPublicAccessBlock",
            "s3:PutAccountPublic", 
            "s3:PutAccountPublicAccessBlock",
```

### Video Walkthrough
<a name="update-to-3.0-video"></a>

This video (3:07) describes how to update your existing AWS Control Tower landing zone to version 3. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.

[![AWS Videos](http://img.youtube.com/vi/zf-dJ6_joTw/0.jpg)](http://www.youtube.com/watch?v=zf-dJ6_joTw)


## The Organization page combines views of OUs and accounts
<a name="ou-hierarchy-page"></a>

**July 18, 2022**

(No update required for AWS Control Tower landing zone)

The new **Organization** page in AWS Control Tower shows a hierarchical (tree) view of all organizational units (OUs) and accounts. It combines the information from the **OUs** and **Accounts** pages, which existed previously.

On the new page, you can see relationships between parent OUs and their nested OUs and accounts, You can take action on groupings of resources. You can configure the page view. For example, you can expand or collapse the hierarchical view, filter the view to see accounts or OUs only, choose to view only your enrolled accounts and registered OUs, or you can view groups of related resources. It is easier to ensure that your entire organization is updated properly.

## Simplified account creation and enrollment
<a name="simple-create-and-enroll"></a>

**June 30, 2022**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now provides a simplified workflow for creating and enrolling accounts. You can create a new account or enroll an existing account in a single workflow, without navigating to the Service Catalog console. For more information, see [Enroll an existing account from the AWS Control Tower console](quick-account-provisioning.md).

## AFT supports automated customization for shared AWS Control Tower accounts
<a name="aft-supports-shared-accounts"></a>

**May 27, 2022**

(No update required for AWS Control Tower landing zone)

Account Factory for Terraform (AFT) now can programmatically customize and update any of your accounts that are managed by AWS Control Tower, including the management account, audit account, and log archive account, along with your enrolled accounts. You can centralize your account customization and update management, while protecting the security of your account configurations, because you scope the role that carries out the work.

The existing **AWSAFTExecution** role now deploys customizations in all accounts. You can set up IAM permissions with boundaries that limit the access of the **AWSAFTExecution** role according to your business and security requirements. You also can programmatically delegate the approved customization permissions in that role, for trusted users. As a best practice, we recommend that you restrict permissions to those that are necessary to deploy the required customizations.

AFT now creates the new **AWSAFTService** role to deploy AFT resources in all managed accounts, including the shared accounts and management account. Resources formerly were deployed by the **AWSAFTExecution** role.

The AWS Control Tower shared and management accounts are not provisioned through account factory, so they do not have corresponding provisioned products in AWS Service Catalog. Therefore, you are not able to update the shared and management accounts in Service Catalog.

## Concurrent operations for all optional controls
<a name="concurrent-preventive-controls"></a>

**May 18, 2022**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now supports concurrent operations for preventive controls, as well as for detective controls.

With this new feature, any optional control now can be applied or removed concurrently, thereby improving the ease of use and performance for all optional controls. You can enable multiple optional controls without waiting for individual control operations to complete. The only restricted times are when AWS Control Tower is in the process of landing zone setup, or while extending governance to a new organization.

**Supported functionality for preventive controls:**
+ Apply and remove different preventive controls on the same OU.
+ Apply and remove different preventive controls on different OUs, concurrently. 
+ Apply and remove the same preventive control on multiple OUs, concurrently. 
+ You can apply and remove any preventive and detective controls, concurrently.

You can experience these control concurrency improvements in all released versions of AWS Control Tower.

When you apply preventive controls to nested OUs, the preventive controls affect all accounts and OUs nested under the target OU, even if those accounts and OUs are not registered with AWS Control Tower. Preventive controls are implemented using Service Control Policies (SCPs), which are part of AWS Organizations. Detective controls are implemented using AWS Config rules. Guardrails remain in effect as you create new accounts or make changes to your existing accounts, and AWS Control Tower provides a summary report of how each account conforms to your enabled policies. For a full list of available controls, see [The AWS Control Tower controls library](https://docs.aws.amazon.com//controltower/latest/controlreference/controls-reference.html). 

## Existing security and logging accounts
<a name="existing-security-and-logging-accounts"></a>

**May 16, 2022**

(Available during initial setup.)

AWS Control Tower now provides the option for you to specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process. This option eliminates the need for AWS Control Tower to create new, shared accounts. The security account, which is called the **Audit** account by default, is a restricted account that gives your security and compliance teams access to all accounts in your landing zone. The logging account, which is called the **Log Archive** account by default, works as a repository. It stores logs of API activities and resource configurations from all accounts in your landing zone.

By bringing your existing security and logging accounts, it is easier to extend AWS Control Tower governance into your existing organizations, or to move to AWS Control Tower from an alternate landing zone. The option for you to use existing accounts is displayed during the initial landing zone setup. It includes checks during the setup process, which ensure successful deployment. AWS Control Tower implements the necessary roles and controls on your existing accounts. It does not remove or merge any existing resources or data that exists in these accounts.

Limitation: If you plan to bring existing AWS accounts into AWS Control Tower as audit and log archive accounts, and if those accounts have existing AWS Config resources, you must delete the existing AWS Config resources before you can enroll the accounts into AWS Control Tower.

## AWS Control Tower landing zone version 2.9
<a name="version-2.9"></a>

**April 22, 2022**

(Update required for AWS Control Tower landing zone to version 2.9. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower landing zone version 2.9 updates the notification forwarder Lambda to use the Python version 3.9 runtime. This update addresses the deprecation of Python version 3.6, which is planned for July of 2022. For the latest information, see [the Python deprecation page](https://docs.aws.amazon.com//lambda/latest/dg/runtime-support-policy.html).

## AWS Control Tower landing zone version 2.8
<a name="version-2.8"></a>

**February 10, 2022**

(Update required for AWS Control Tower landing zone to version 2.8. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower landing zone version 2.8 adds functionality that aligns with recent updates to the [AWS Foundational Security Best Practices](https://docs.aws.amazon.com//securityhub/latest/userguide/securityhub-standards-fsbp.html).

**In this release:**
+ Access logging is configured for the access log bucket in the Log Archive account, to keep track of access to the existing S3 access log bucket. 
+ Support for lifecycle policy is added. The access log for the existing S3 access log bucket is set to a default retention time of 10 years.
+ Additionally, this release updates AWS Control Tower to use the AWS Service Linked Role (SLR) provided by AWS Config, in all managed accounts (not including the management account), so that you can set up and manage Config rules to match AWS Config best practices. Customers who do not upgrade will continue to use their existing role.
+ This release streamlines the AWS Control Tower KMS configuration process for encrypting AWS Config data, and it improves the related status messaging in CloudTrail. 
+ The release includes an update to the Region deny control, to allow for the `route53-application-recovery` feature in `us-west-2`.
+ Update: On February 15, 2022, we removed the dead letter queue for AWS Lambda functions.

**Additional details:**
+ If you decommission your landing zone, AWS Control Tower does not remove the AWS Config service-linked role.
+ If you deprovision an Account Factory account, AWS Control Tower does not remove the AWS Config service-linked role.

To update your landing zone to 2.8, navigate to the **Landing zone settings** page, select the 2.8 version, and then choose **Update**. After you update your landing zone, you must update all accounts that are governed by AWS Control Tower, as given in [Configuration update management in AWS Control Tower](configuration-updates.md).

# January - December 2021
<a name="2021-all"></a>

In 2021, AWS Control Tower released the following updates:
+ [Region deny capabilities](#region-deny-control)
+ [Data residency features](#data-residency-feature)
+ [AWS Control Tower introduces Terraform account provisioning and customization](#aft-available)
+ [New lifecycle event available](#precheck-organizational-unit-event)
+ [AWS Control Tower enables nested OUs](#nested-ou)
+ [Detective control concurrency](#detective-control-concurrency)
+ [Two new Regions available](#paris-and-sao-paulo)
+ [Region deselection](#region-deselect)
+ [AWS Control Tower works with AWS Key Management Systems](#kms-keys)
+ [Controls renamed, functionality unchanged](#control-renaming)
+ [AWS Control Tower scans SCPs daily to check for drift](#daily-scp-scans)
+ [Customized names for OUs and accounts](#rename-core-ous-and-accounts)
+ [AWS Control Tower landing zone version 2.7](#version-2.7)
+ [Three new AWS Regions available](#three-new-regions)
+ [Govern selected Regions only](#region-select)
+ [AWS Control Tower now extends governance to existing OUs in your AWS organizations](#extended-governance)
+ [AWS Control Tower provides bulk account updates](#bulk-update)

## Region deny capabilities
<a name="region-deny-control"></a>

**November 30, 2021**

(No update required for AWS Control Tower landing zone.)

AWS Control Tower now provides Region deny capabilities, which assist you in limiting access to AWS services and operations for enrolled accounts in your AWS Control Tower environment. The Region deny feature complements existing Region selection and Region deselection features in AWS Control Tower. Together, these features help you to address compliance and regulatory concerns, while balancing the costs associated with expanding into additional Regions.

For example, AWS customers in Germany can deny access to AWS services in Regions outside of the Frankfurt Region. You can select restricted Regions during the AWS Control Tower set up process, or in the **Landing zone settings** page. The Region deny feature is available when you update your AWS Control Tower landing zone version. Select AWS services are exempt from Region deny capabilities. To learn more, see [Configure the Region deny control](https://docs.aws.amazon.com//controltower/latest/userguide/region-deny.html).

## Data residency features
<a name="data-residency-feature"></a>

**November 30, 2021**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now offers purpose-built controls to help ensure that any customer data you upload to AWS services is located only in the AWS Regions that you specify. You can select the AWS Region or Regions in which your customer data is stored and processed. For a full list of AWS Regions where AWS Control Tower is available, see the [AWS Region Table](https://aws.amazon.com//about-aws/global-infrastructure/regional-product-services/).

For granular control, you can apply additional controls, such as **Disallow Amazon Virtual Private Network (VPN) connections**, or **Disallow internet access for an Amazon VPC instance**. You can view the compliance status of the controls in the AWS Control Tower console. For a full list of available controls, see [The AWS Control Tower controls library](https://docs.aws.amazon.com//controltower/latest/controlreference/controls-reference.html). 

## AWS Control Tower introduces Terraform account provisioning and customization
<a name="aft-available"></a>

**November 29, 2021**

(Optional update for AWS Control Tower landing zone)

You can now employ Terraform to provision and update customized accounts through AWS Control Tower, with *AWS Control Tower Account Factory for Terraform (AFT)*.

AFT provides a single Terraform infrastructure as code (IaC) pipeline, which provisions accounts managed by AWS Control Tower. Customizations during provisioning help to meet your business and security policies, before you give the accounts to end-users.

The AFT automated account creation pipeline monitors until account provisioning is complete, and then it continues, triggering additional Terraform modules that enhance the account with any necessary customizations. As an additional part of the customization process, you can configure the pipeline to install your own custom Terraform modules, and you can choose to add any of the AFT Feature Options, which are provided by AWS for common customizations.

Get started with AWS Control Tower Account Factory for Terraform by following the steps provided in the * AWS Control Tower User Guide*, [Deploy AWS Control Tower Account Factory for Terraform (AFT)](aft-getting-started.md) , and by downloading AFT for your Terraform instance. AFT supports Terraform Cloud, Terraform Enterprise, and Terraform Open Source distributions.

## New lifecycle event available
<a name="precheck-organizational-unit-event"></a>

**November 18, 2021**

(No update required for AWS Control Tower landing zone)

The `PrecheckOrganizationalUnit` event logs whether any resources block the **Extend governance** task from success, including resources in nested OUs. For more information, see [`PrecheckOrganizationalUnit`](lifecycle-events.md#precheck-organizational-unit).

## AWS Control Tower enables nested OUs
<a name="nested-ou"></a>

**November 16, 2021**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now enables you to include nested OUs as part of your landing zone.

AWS Control Tower provides support for nested organizational units (OUs), allowing you to organize accounts into multiple hierarchy levels, and to enforce preventive controls hierarchically. You can register OUs containing nested OUs, create and register OUs under parent OUs, and enable controls on any registered OU, regardless of depth. To support this functionality, the console shows the number of governed accounts and OUs.

With nested OUs, you can align your AWS Control Tower OUs to the AWS multi-account strategy, and you can reduce the time required to enable controls on multiple OUs, by enforcing controls at the parent OU level.

**Key considerations**

1. You can register existing, multi-level OUs with AWS Control Tower one OU at a time, starting with the top-level OU and then proceeding down the tree. For more information, see [Expand from flat OU structure to nested OU structure](nested-ous.md#flat-to-nested).

1. Accounts directly under a registered OU are enrolled automatically. Accounts further down the tree can be enrolled by registering their immediate parent OU.

1. Preventive controls (SCPs) are inherited down the hierarchy automatically; SCPs applied to the parent are inherited by all nested OUs. 

1. Detective controls (AWS Config rules) are NOT inherited automatically.

1. Compliance with detective controls is reported by each OU.

1. SCP drift on an OU affects all accounts and OUs under it.

1. You cannot create new nested OUs under the Security OU (Core OU).

## Detective control concurrency
<a name="detective-control-concurrency"></a>

**November 5, 2021**

(Optional update for AWS Control Tower landing zone)

AWS Control Tower detective controls now support concurrent operations for detective controls, improving the ease of use and performance. You can enable multiple detective controls without waiting for individual control operations to complete.

**Supported functionality:**
+ Enable different detective controls on the same OU (for example, **Detect Whether MFA for the Root User is Enabled** and **Detect Whether Public Write Access to Amazon S3 Buckets is Allowed**).
+ Enable different detective controls on different OUs, concurrently. 
+ Guardrail error messaging has been improved to give additional guidance for supported control concurrency operations. 

**Not supported in this release:**
+ Enabling the same detective control on multiple OUs concurrently is not supported.
+ *Preventive* control concurrency is not supported.

You can experience the detective control concurrency improvements in all versions of AWS Control Tower. It is recommended that customers not currently on version 2.7 perform a landing zone update to take advantage of other features, such as Region selection and deselection, which are available in the latest version.

## Two new Regions available
<a name="paris-and-sao-paulo"></a>

**July 29, 2021**

(Update required for AWS Control Tower landing zone)

AWS Control Tower is now available in two additional AWS Regions: South America (Sao Paulo), and Europe (Paris). This update expands AWS Control Tower availability to 15 AWS Regions. 

If you are new to AWS Control Tower, you can launch it right away in any of the supported Regions. During the launch, you can select the Regions in which you want AWS Control Tower to build and govern your multi-account environment.

If you already have an AWS Control Tower environment and you want to extend or remove AWS Control Tower governance features in one or more supported Regions, go to the **Landing Zone Settings** page in your AWS Control Tower dashboard, then select the Regions. After updating your landing zone, you must then [update all accounts that are governed by AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/userguide/configuration-updates.html#deploying-to-new-region).

## Region deselection
<a name="region-deselect"></a>

**July 29, 2021**

(Optional update for AWS Control Tower landing zone)

AWS Control Tower Region deselection enhances your ability to manage the geographical footprint of your AWS Control Tower resources. You can deselect Regions you would no longer like AWS Control Tower to govern. This feature provides you with the capability to address compliance and regulatory concerns while balancing the costs associated with expanding into additional Regions.

Region deselection is available when you update your AWS Control Tower landing zone version. 

When you use Account Factory to create a new account or enroll a pre-existing member account, or when you select **Extend Governance** to enroll accounts in a pre-existing organizational unit, AWS Control Tower deploys its governance capabilities—which include centralized logging, monitoring, and controls— in your chosen Regions in the accounts. Choosing to deselect a Region and remove AWS Control Tower governance from that Region removes that governance functionality, but it does not inhibit your users’ ability to deploy AWS resources or workloads into those Regions. 

## AWS Control Tower works with AWS Key Management Systems
<a name="kms-keys"></a>

**July 28, 2021**

(Optional update for AWS Control Tower landing zone)

AWS Control Tower provides you the option to use an AWS Key Management Service (AWS KMS) key. A key is provided and managed by you, to secure the services that AWS Control Tower deploys, including AWS CloudTrail, AWS Config, and the associated Amazon S3 data. AWS KMS encryption is an enhanced level of encryption over the SSE-S3 encryption that AWS Control Tower uses by default.

The integration of AWS KMS support into AWS Control Tower aligns with the **AWS Foundational Security Best Practices**, which recommend an added layer of security for your sensitive log files. You should use AWS KMS–managed keys (SSE-KMS) for encryption at rest. AWS KMS encryption support is available when you set up a new landing zone or when you update your existing AWS Control Tower landing zone.

To configure this functionality, you can select **KMS Key Configuration** during your initial landing zone setup. You can choose an existing KMS key, or you can select a button that directs you to the AWS KMS console to create a new one. You also have the flexibility to change from default encryption to SSE-KMS, or to a different SSE-KMS key.

For an existing AWS Control Tower landing zone, you can perform an update to start using AWS KMS keys. 

## Controls renamed, functionality unchanged
<a name="control-renaming"></a>

**July 26, 2021**

(No update required for AWS Control Tower landing zone)

AWS Control Tower is revising certain control names and descriptions to better reflect the policy intentions of the control. The revised names and descriptions help you understand more intuitively the ways in which controls embody the policies of your accounts. For example, we changed part of the names of detective controls from “Disallow” to “Detect” because the detective control itself does not stop a specific action, it only detects policy violations and provides alerts through the dashboard.

Control functionality, guidance, and implementation remain unchanged. Only the control names and descriptions have been revised.

## AWS Control Tower scans SCPs daily to check for drift
<a name="daily-scp-scans"></a>

**May 11, 2021**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now performs daily automated scans of your managed SCPs to verify that the corresponding controls are applied correctly and that they have not drifted. If a scan discovers drift, you will receive a notification. AWS Control Tower sends only one notification per drift issue, so if your landing zone already is in a state of drift, you will not receive additional notifications unless a new drift item is found.

## Customized names for OUs and accounts
<a name="rename-core-ous-and-accounts"></a>

**April 16, 2021**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now allows you to customize your landing zone naming. You can retain the names that AWS Control Tower recommends for the organizational units (OUs) and core accounts, or you can modify these names during the initial landing zone set up process.

The default names that AWS Control Tower provides for the OUs and core accounts match the AWS multi-account best practices guidance. However, if your company has specific naming policies, or if you already have an existing OU or account with the same recommended name, the new OU and account naming functionality gives you the flexibility to address those constraints.

Separately from that workflow change during setup, the OU formerly known as the Core OU is now called the Security OU, and the OU formerly known as the Custom OU is now called the Sandbox OU. We made this change to improve our alignment with overall AWS best practices guidance for naming.

New customers will see these new OU names. Existing customers will continue to see the original names of these OUs. You may encounter some inconsistencies in OU naming while we are updating our documentation to the new names.

To get started with AWS Control Tower from the AWS Management Console, go to the AWS Control Tower console, and select **Set up landing zone** in the top right. For additional information, you can read about planning your AWS Control Tower landing zone.

## AWS Control Tower landing zone version 2.7
<a name="version-2.7"></a>

**April 8, 2021**

(Update required for AWS Control Tower landing zone to version 2.7. For information, see [Update your landing zone](update-controltower.md))

With AWS Control Tower version 2.7, AWS Control Tower introduces four new mandatory preventative Log Archive controls that implement policy solely on AWS Control Tower resources. We have adjusted the guidance on four existing Log Archive controls from mandatory to elective, because they set policy for resources outside of AWS Control Tower. This control change and expansion provides the ability to separate Log Archive governance for resources within AWS Control Tower from governance of resources outside of AWS Control Tower.

The four changed controls can be used in conjunction with the new mandatory controls to provide governance to a broader set of AWS Log Archives. Existing AWS Control Tower environments will keep these four changed controls enabled automatically, for environment consistency; however, these elective controls now can be disabled. New AWS Control Tower environments must enable all elective controls. **Existing environments must disable the formerly mandatory controls before adding encryption to Amazon S3 buckets that are not deployed by AWS Control Tower.**

**New mandatory controls:**
+ Disallow Changes to Encryption Configuration for AWS Control Tower Created S3 Buckets in Log Archive 
+ Disallow Changes to Logging Configuration for AWS Control Tower Created S3 Buckets in Log Archive
+ Disallow Changes to Bucket Policy for AWS Control Tower Created S3 Buckets in Log Archive 
+ Disallow Changes to Lifecycle Configuration for AWS Control Tower Created S3 Buckets in Log Archive

**Guidance changed from Mandatory to Elective:**
+ Disallow Changes to Encryption Configuration for all Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive]
+ Disallow Changes to Logging Configuration for all Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive]
+ Disallow Changes to Bucket Policy for all Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive]
+ Disallow Changes to Lifecycle Configuration for all Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]

AWS Control Tower version 2.7 includes changes to the AWS Control Tower landing zone blueprint that can cause incompatibility with previous versions after you upgrade to 2.7. 
+ In particular, AWS Control Tower version 2.7 enables `BlockPublicAccess` automatically on S3 buckets deployed by AWS Control Tower. You can turn this default off if your workload requires access across accounts. For more information about what happens with `BlockPublicaccess` enabled, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com//AmazonS3/latest/userguide/access-control-block-public-access.html).
+ AWS Control Tower version 2.7 includes a requirement for HTTPS. All requests sent to S3 buckets deployed by AWS Control Tower must use secure socket layer (SSL). Only HTTPS requests are allowed to pass. If you use HTTP (without SSL) as an endpoint to send the requests, this change gives you an access denied error, which can potentially break your workflow. **This change cannot be reverted after the 2.7 update to your landing zone.**

  *We recommend that you change your requests to use TLS instead of HTTP.*

## Three new AWS Regions available
<a name="three-new-regions"></a>

**April 8, 2021**

(Update required for AWS Control Tower landing zone)

AWS Control Tower is available in three additional AWS Regions: Asia Pacific (Tokyo) Region, Asia Pacific (Seoul) Region, and Asia Pacific (Mumbai) Region. A landing zone update to version 2.7 is required for expanding governance into these Regions.

 Your landing zone is not expanded automatically into these Regions when you perform the update to version 2.7, you must view and select them in the Regions table for inclusion.

## Govern selected Regions only
<a name="region-select"></a>

**February 19, 2021**

(No update required for AWS Control Tower landing zone)

AWS Control Tower Region selection provides better ability to manage the geographical footprint of your AWS Control Tower resources. To expand the number of Regions in which you host AWS resources or workloads – for compliance, regulatory, cost, or other reasons – you can now select the additional Regions to govern. 

Region selection is available when you set up a new landing zone or update your AWS Control Tower landing zone version. When you use Account Factory to create a new account or enroll a pre-existing member account, or when you use **Extend Governance** to enroll accounts in a pre-existing organizational unit, AWS Control Tower deploys its governance capabilities of centralized logging, monitoring, and controls in your chosen Regions in the accounts. For more information about selecting Regions, see [Configure your AWS Control Tower Regions](region-how.md#deploying-to-new-region).

## AWS Control Tower now extends governance to existing OUs in your AWS organizations
<a name="extended-governance"></a>

**January 28, 2021**

(No update required for AWS Control Tower landing zone)

Extend governance to existing organizational units (OUs) (those not in AWS Control Tower) from within the AWS Control Tower console. With this feature, you can bring top-level OUs and included accounts under AWS Control Tower governance. For information about extending governance to an entire OU, see [Register an existing organizational unit with AWS Control Tower](importing-existing.md).

When you register an OU, AWS Control Tower performs a series of checks to ensure successful extension of governance and enrollment of accounts within the OU. For more information about common issues associated with the initial registration of an OU, see [Common causes of failure during registration or re-registration](common-eg-failures.md).

You can also visit the AWS Control Tower [product webpage](https://aws.amazon.com/controltower/) or visit YouTube to watch this video about [getting started with AWS Control Tower for AWS Organizations](https://www.youtube.com/watch?v=CwRy0t8nfgM).

## AWS Control Tower provides bulk account updates
<a name="bulk-update"></a>

**January 28, 2021**

(No update required for AWS Control Tower landing zone)

With the bulk update feature, you can now update all accounts in a registered AWS Organizations organizational unit (OU) containing up to 300 accounts, with a single click, from the AWS Control Tower dashboard. This is particularly useful in cases where you update your AWS Control Tower landing zone and must also update your enrolled accounts to align them to the current landing zone version. 

This feature also helps you keep your accounts up to date when you update your AWS Control Tower landing zone to expand to new regions, or when you want to re-register an OU to ensure that all accounts in that OU have the latest controls applied. Bulk account update eliminates the need to update one account at a time or use an external script to perform the update on multiple accounts.

For information about updating a landing zone, see [Update your landing zone](update-controltower.md).

For information about registering or re-registering an OU, see [Register an existing organizational unit with AWS Control Tower](importing-existing.md).

# January - December 2020
<a name="2020-all"></a>

In 2020, AWS Control Tower released the following updates:
+ [AWS Control Tower console now links to external AWS Config rules](#config-aggregator-12-2020)
+ [AWS Control Tower now available in additional Regions](#region-expansion-11-19-20)
+ [Guardrail update](#control-update)
+ [AWS Control Tower console shows more detail about OUs and accounts](#OU-account-detail)
+ [Use AWS Control Tower to set up new multi-account AWS environments in AWS Organizations](#multiaccount-environments) 
+ [Customizations for AWS Control Tower solution](#Customizations)
+ [General availability of AWS Control Tower version 2.3](#Available_in_Sydney)
+ [Single-step account provisioning in AWS Control Tower](#Single-step-provisioning)
+ [AWS Control Tower decommissioning tool](#Decommissioning-tool)
+ [AWS Control Tower lifecycle event notifications](#Lifecycle-event-notifications)

## AWS Control Tower console now links to external AWS Config rules
<a name="config-aggregator-12-2020"></a>

 **December 29, 2020**

(Update required for AWS Control Tower landing zone to version 2.6. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower now includes an organization-level aggregator, which assists in detecting external AWS Config rules. This provides you with visibility in the AWS Control Tower console to see the existence of externally created AWS Config rules in addition to those AWS Config rules created by AWS Control Tower. The aggregator allows AWS Control Tower to detect external rules and provide a link to the AWS Config console without the need for AWS Control Tower to gain access to unmanaged accounts.

With this feature, you now have a consolidated view of detective controls applied to your accounts so you can track compliance and determine if you need additional controls for your account. For information, see [How AWS Control Tower aggregates AWS Config rules in unmanaged OUs and accounts](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html#config-role-for-organizations).

## AWS Control Tower now available in additional Regions
<a name="region-expansion-11-19-20"></a>

 **November 18, 2020**

(Update required for AWS Control Tower landing zone to version 2.5. For information, see [Update your landing zone](update-controltower.md))

AWS Control Tower is now available in 5 additional AWS Regions:
+ Asia Pacific (Singapore) Region
+ Europe (Frankfurt) Region
+ Europe (London) Region
+ Europe (Stockholm) Region
+ Canada (Central) Region

The addition of these 5 AWS Regions is the only change introduced for version 2.5 of AWS Control Tower.

AWS Control Tower is also available in US East (N. Virginia) Region, US East (Ohio) Region, US West (Oregon) Region, Europe (Ireland) Region, and Asia Pacific (Sydney) Region. With this launch AWS Control Tower is now available in 10 AWS Regions.

This landing zone update includes all Regions listed and cannot be undone. After updating your landing zone to version 2.5, you must manually update all enrolled accounts for AWS Control Tower to govern in the 10 supported AWS Regions. For information, see [Configure your AWS Control Tower Regions](region-how.md#deploying-to-new-region).

## Guardrail update
<a name="control-update"></a>

**October 8, 2020**

(No update required for AWS Control Tower landing zone)

An updated version has been released for the mandatory control `AWS-GR_IAM_ROLE_CHANGE_PROHIBITED`.

This change to the control is required because accounts that are being enrolled automatically into AWS Control Tower must have the `AWSControlTowerExecution` role enabled. The previous version of the control prevents this role from being created.

For more information, see [Disallow Changes to AWS IAM Roles Set Up by AWS Control Tower and CloudFormation](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#iam-disallow-changes) in the AWS Control Tower Controls Reference Guide.

## AWS Control Tower console shows more detail about OUs and accounts
<a name="OU-account-detail"></a>

**July 22, 2020**

(No update required for AWS Control Tower landing zone)

You can view your organizations and accounts that are not enrolled in AWS Control Tower, alongside organizations and accounts that are enrolled.

Within the AWS Control Tower console, you can view more detail about your AWS accounts and organizational units (OUs). The **Accounts** page now lists all accounts in your organization, regardless of OU or enrollment status in AWS Control Tower. You can now search, sort, and filter across all tables.

## Use AWS Control Tower to set up new multi-account AWS environments in AWS Organizations
<a name="multiaccount-environments"></a>

**April 22, 2020**

(No update required for AWS Control Tower landing zone)

AWS Organizations customers can now use AWS Control Tower to manage newly created organizational units (OUs) and accounts by taking advantage of these new capabilities: 
+ Existing AWS Organizations customers can now set up a new landing zone for new organizational units (OUs) in their existing management account. You can create new OUs in AWS Control Tower and create new accounts in those OUs with AWS Control Tower governance.
+ AWS Organizations customers can enroll existing accounts using the account enrollment process or through scripting.

AWS Control Tower provides an orchestration service that uses other AWS services. It's designed for organizations with multiple accounts and teams who are looking for the easiest way to set up their new or existing multi-account AWS environment and govern at scale. With an organization governed by AWS Control Tower, cloud administrators know that accounts in the organization are compliant with established policies. Builders benefit because they can provision new AWS accounts quickly, without undue concerns about compliance.

For information about setting up a landing zone, see [Plan your AWS Control Tower landing zone](planning-your-deployment.md). You can also visit the AWS Control Tower [product webpage](https://aws.amazon.com/controltower/) or visit YouTube to watch this video about [getting started with AWS Control Tower for AWS Organizations](https://www.youtube.com/watch?v=-n65I4M8cas). 

In addition to this change, the **Quick account provisioning** capability in AWS Control Tower was renamed to **Enroll account**. It now permits enrollment of existing AWS accounts as well as creation of new accounts. For more information, see [Enroll an existing account from the AWS Control Tower console](quick-account-provisioning.md).

## Customizations for AWS Control Tower solution
<a name="Customizations"></a>

**March 17, 2020**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now includes a new reference implementation that makes it easy for you to apply custom templates and policies to your AWS Control Tower landing zone. 

With customizations for AWS Control Tower, you can use CloudFormation templates to deploy new resources to existing and new accounts within your organization. You can also apply custom service control policies (SCPs) to those accounts in addition to the SCPs already provided by AWS Control Tower. Customizations for AWS Control Tower pipeline integrate with AWS Control Tower lifecycle events and notifications ([Lifecycle Events in AWS Control Tower](lifecycle-events.md)) to ensure that resource deployments stay in sync with your landing zone.

The deployment documentation for this AWS Control Tower solution architecture is available through the [AWS Solutions web page](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). 

## General availability of AWS Control Tower version 2.3
<a name="Available_in_Sydney"></a>

**March 5, 2020** 

(Update required for AWS Control Tower landing zone. For information, see [Update your landing zone](update-controltower.md).)

AWS Control Tower is now available in the Asia Pacific (Sydney) AWS Region, in addition to the US East (Ohio), US East (N. Virginia), US West (Oregon), and Europe (Ireland) Regions. The addition of the Asia Pacific (Sydney) Region is the only change introduced for version 2.3 of AWS Control Tower.

If you have not used AWS Control Tower previously, you can launch it today in any of the supported Regions. If you are already using AWS Control Tower and want to extend its governance features to the Asia Pacific (Sydney) Region in your accounts, go to the **Settings** page in your AWS Control Tower dashboard. From there, update your landing zone to the latest release. Then, update your accounts individually. 

**Note**  
Updating your landing zone does not automatically update your accounts. If you have more than a few accounts, the required updates can be time-consuming. For that reason, we recommend that you avoid expanding your AWS Control Tower landing zone into Regions in which you do not require your workloads to run.

 For information about the expected behavior of detective controls as a result of a deployment to a new Region, see [Configure your AWS Control Tower Regions](https://docs.aws.amazon.com//controltower/latest/userguide/region-how.html#deploying-to-new-region).

## Single-step account provisioning in AWS Control Tower
<a name="Single-step-provisioning"></a>

**March 2, 2020**

(No update required for AWS Control Tower landing zone)

AWS Control Tower now supports single-step account provisioning through the AWS Control Tower console. This feature allows you to provision new accounts from within the AWS Control Tower console.

To use the simplified form, navigate to **Account Factory** in the AWS Control Tower console and then choose **Quick account provisioning**. AWS Control Tower assigns the same email address to the provisioned account and to the single sign-on (IAM Identity Center) user that is created for the account. If you require these two email addresses to be different, you must provision your account through Service Catalog.

Update accounts that you create through quick account provisioning by using Service Catalog and the AWS Control Tower account factory, just like updates to any other account.

**Note**  
In April 2020, the **Quick account provisioning** capability was renamed to **Enroll account**. In June 2022, the ability to create and update accounts in the AWS Control Tower console was separated from the ability to enroll AWS accounts. For more information, see [Enroll an existing account from the AWS Control Tower console](quick-account-provisioning.md).

## AWS Control Tower decommissioning tool
<a name="Decommissioning-tool"></a>

**February 28, 2020 **

(No update required for AWS Control Tower landing zone)

AWS Control Tower now supports an automated decommissioning tool to assist you in cleaning up resources allocated by AWS Control Tower. If you no longer intend to use AWS Control Tower for your enterprise, or if you require a major redeployment of your organizational resources, you may want to clean up the resources created when you initially set up your landing zone. 

To decommission your landing zone by using a process that is mostly automated, contact AWS Support to get assistance with the additional steps that are required. For more information about decommissioning, see [Decommission an AWS Control Tower landing zone](decommission-landing-zone.md).

## AWS Control Tower lifecycle event notifications
<a name="Lifecycle-event-notifications"></a>

**January 22, 2020**

(No update required for AWS Control Tower landing zone)

AWS Control Tower announces the availability of lifecycle event notifications. A [lifecycle event](lifecycle-events.md) marks the completion of an AWS Control Tower action that can change the state of resources such as organizational units (OUs), accounts, and controls that are created and managed by AWS Control Tower. Lifecycle events are recorded as AWS CloudTrail events and delivered to Amazon EventBridge as events. 

AWS Control Tower records lifecycle events at the completion of the following actions that can be performed using the service: creating or updating a landing zone; creating or deleting an OU; enabling or disabling a control on an OU; and using account factory to create a new account or to move an account to another OU.

AWS Control Tower uses multiple AWS services to build and govern a best practices multi-account AWS environment. It can take several minutes for an AWS Control Tower action to complete. You can track lifecycle events in the CloudTrail logs to verify if the originating AWS Control Tower action completed successfully. You can create an EventBridge rule to notify you when CloudTrail records a lifecycle event or to automatically trigger the next step in your automation workflow.

# June - December 2019
<a name="2019-all"></a>

From June 24 through December 31, 2019, AWS Control Tower released the following updates:
+ [General availability of AWS Control Tower version 2.2](#Version-2-2)
+ [New elective controls in AWS Control Tower](#Elective-gaurdrails)
+ [New detective controls in AWS Control Tower](#New-controls)
+ [AWS Control Tower accepts email addresses for shared accounts with different domains than the management account](#Email-address-shared-accounts)
+ [General availability of AWS Control Tower version 2.1](#Version-2-1)

## General availability of AWS Control Tower version 2.2
<a name="Version-2-2"></a>

**November 13, 2019**

(Update required for AWS Control Tower landing zone. For information, see [Update your landing zone](update-controltower.md).)

AWS Control Tower version 2.2 provides three new preventive controls that prevent drift in accounts:
+ [Disallow Changes to Amazon CloudWatch Logs Log Groups set up by AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/mandatory-controls.html#log-group-deletion-policy) 
+ [Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/mandatory-controls.html#config-aggregation-authorization-policy) 
+ [Disallow Deletion of Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-audit-bucket-deletion) 

A control is a high-level rule that provides ongoing governance for your overall AWS environment. When you create your AWS Control Tower landing zone, the landing zone and all the organizational units (OUs), accounts, and resources are compliant with the governance rules enforced by your chosen controls. As you and your organization members use the landing zone, changes (accidental or intentional) in this compliance status may occur. Drift detection helps you identify resources that need changes or configuration updates to resolve the drift. For more information, see [Detect and resolve drift in AWS Control Tower](drift.md). 

## New elective controls in AWS Control Tower
<a name="Elective-gaurdrails"></a>

**September 05, 2019** 

(No update required for AWS Control Tower landing zone)

AWS Control Tower now includes the following four new elective controls:
+ [Disallow Delete Actions on Amazon S3 Buckets Without MFA](https://docs.aws.amazon.com//controltower/latest/controlreference/elective-controls.html#disallow-s3-delete-mfa) 
+ [Disallow Changes to Replication Configuration for Amazon S3 Buckets](https://docs.aws.amazon.com//controltower/latest/controlreference/elective-controls.html#disallow-s3-ccr) 
+ [Disallow Actions as a Root User](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-auser-actions)
+ [Disallow Creation of Access Keys for the Root User](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-access-keys)

A control is a high-level rule that provides ongoing governance for your overall AWS environment. Guardrails enable you to express your policy intentions. For more information, see [About controls in AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/controls.html).

## New detective controls in AWS Control Tower
<a name="New-controls"></a>

**August 25, 2019** 

(No update required for AWS Control Tower landing zone)

AWS Control Tower now includes the following eight new detective controls:
+ [Detect Whether Versioning for Amazon S3 Buckets is Enabled](https://docs.aws.amazon.com//controltower/latest/controlreference/elective-controls.html#disallow-s3-no-versioning) 
+ [Detect Whether MFA is Enabled for IAM Users of the AWS Console](https://docs.aws.amazon.com//controltower/latest/controlreference/elective-controls.html#disallow-console-access-mfa) 
+ [Detect Whether MFA is Enabled for IAM Users](https://docs.aws.amazon.com//controltower/latest/controlreference/elective-controls.html#disallow-access-mfa) 
+ [Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#disallow-not-ebs-optimized)
+ [Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-unattached-ebs) 
+ [Detect Whether Public Access to Amazon RDS Database Instances is Enabled](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#disallow-rds-public-access) 
+ [Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#disallow-rds-snapshot-public-access)
+ [Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances](https://docs.aws.amazon.com//controltower/latest/controlreference/strongly-recommended-controls.html#disallow-rds-storage-unencrypted)

A control is a high-level rule that provides ongoing governance for your overall AWS environment. A detective control detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. For more information, see [About controls in AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/controlreference/controls.html).

## AWS Control Tower accepts email addresses for shared accounts with different domains than the management account
<a name="Email-address-shared-accounts"></a>

**August 01, 2019** 

(No update required for AWS Control Tower landing zone)

In AWS Control Tower, you can now submit email addresses for shared accounts (log archive and audit member) and child accounts (vended using account factory) whose domains are different from the management account's email address. This feature is available only when you create a new landing zone and when you provision new child accounts.

## General availability of AWS Control Tower version 2.1
<a name="Version-2-1"></a>

**June 24, 2019**

(Update required for AWS Control Tower landing zone. For information, see [Update Your Landing Zone](https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html).)

AWS Control Tower is now generally available and supported for production use. AWS Control Tower is intended for organizations with multiple accounts and teams who are looking for the easiest way to set up their new multi-account AWS environment and govern at scale. With AWS Control Tower, you can help make sure that accounts in your organization are compliant with established policies. End users on distributed teams can provision new AWS accounts quickly.

Using AWS Control Tower, you can [set up a landing zone](getting-started-with-control-tower.md) that employs best practices such as configuring a [multi-account structure](https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html) using AWS Organizations, managing user identities and federated access with AWS IAM Identity Center, enabling account provisioning through Service Catalog, and creating a centralized log archive using AWS CloudTrail and AWS Config. 

For ongoing governance, you can enable pre-configured controls, which are clearly defined rules for security, operations, and compliance. Guardrails help prevent deployment of resources that don't conform to policies and continuously monitor deployed resources for nonconformance. The AWS Control Tower dashboard provides centralized visibility into an AWS environment including accounts provisioned, controls enabled, and the compliance status of accounts.

You can set up a new multi-account environment with a single click in the AWS Control Tower console. There are no additional charges or upfront commitments to use AWS Control Tower. You pay only for those AWS services that you enabled to set up a landing zone and implement selected controls.