January - December 2019
From January 1 through December 31, 2019, AWS Control Tower released the following updates:
General availability of AWS Control Tower version 2.2
November 13, 2019
(Update required for AWS Control Tower landing zone. For information, see Update your landing zone.)
AWS Control Tower version 2.2 provides three new preventive controls that prevent drift in accounts:
A control is a high-level rule that provides ongoing governance for your overall AWS environment. When you create your AWS Control Tower landing zone, the landing zone and all the organizational units (OUs), accounts, and resources are compliant with the governance rules enforced by your chosen controls. As you and your organization members use the landing zone, changes (accidental or intentional) in this compliance status may occur. Drift detection helps you identify resources that need changes or configuration updates to resolve the drift. For more information, see Detect and resolve drift in AWS Control Tower.
New elective controls in AWS Control Tower
September 05, 2019
(No update required for AWS Control Tower landing zone)
AWS Control Tower now includes the following four new elective controls:
A control is a high-level rule that provides ongoing governance for your overall AWS environment. Guardrails enable you to express your policy intentions. For more information, see About controls in AWS Control Tower.
New detective controls in AWS Control Tower
August 25, 2019
(No update required for AWS Control Tower landing zone)
AWS Control Tower now includes the following eight new detective controls:
-
Detect Whether MFA is Enabled for IAM Users of the AWS Console
-
Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances
-
Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances
-
Detect Whether Public Access to Amazon RDS Database Instances is Enabled
-
Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled
-
Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances
A control is a high-level rule that provides ongoing governance for your overall AWS environment. A detective control detects noncompliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. For more information, see About controls in AWS Control Tower.
AWS Control Tower accepts email addresses for shared accounts with different domains than the management account
August 01, 2019
(No update required for AWS Control Tower landing zone)
In AWS Control Tower, you can now submit email addresses for shared accounts (log archive and audit member) and child accounts (vended using account factory) whose domains are different from the management account's email address. This feature is available only when you create a new landing zone and when you provision new child accounts.
General availability of AWS Control Tower version 2.1
June 24, 2019
(Update required for AWS Control Tower landing zone. For information, see Update Your Landing Zone.)
AWS Control Tower is now generally available and supported for production use. AWS Control Tower is intended for organizations with multiple accounts and teams who are looking for the easiest way to set up their new multi-account AWS environment and govern at scale. With AWS Control Tower, you can help make sure that accounts in your organization are compliant with established policies. End users on distributed teams can provision new AWS accounts quickly.
Using AWS Control Tower, you can set up a landing zone that employs best practices such as configuring a multi-account structure using AWS Organizations, managing user identities and federated access with AWS IAM Identity Center, enabling account provisioning through Service Catalog, and creating a centralized log archive using AWS CloudTrail and AWS Config.
For ongoing governance, you can enable pre-configured controls, which are clearly defined rules for security, operations, and compliance. Guardrails help prevent deployment of resources that don’t conform to policies and continuously monitor deployed resources for nonconformance. The AWS Control Tower dashboard provides centralized visibility into an AWS environment including accounts provisioned, controls enabled, and the compliance status of accounts.
You can set up a new multi-account environment with a single click in the AWS Control Tower console. There are no additional charges or upfront commitments to use AWS Control Tower. You pay only for those AWS services that you enabled to set up a landing zone and implement selected controls.
