Posted On: Dec 15, 2023
Today, AWS Control Tower launched landing zone version 3.3 which includes updates to AWS Control Tower-managed resources, resource-based policies, and controls. AWS Control Tower now supports the new AWS Identity and Access Management (IAM) launched global condition key, aws:SourceOrgID, which enables you to scalably allow AWS services to access your resources only on your behalf. With this new IAM capability, you can simplify management of your resource-based policies to require that AWS services access your resources only when the request originates from your organization or organizational unit (OU). For example, you can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This ensures that CloudTrail can only write logs on behalf of accounts within your organization to your S3 bucket, preventing CloudTrail logs outside your organization from writing to your S3 bucket. Landing zone version 3.3 also includes a new version of the Region Deny control and improved KMS drift reporting.
A landing zone is a well-architected, multi-account AWS environment based on security and compliance best practices. AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, logging, and account structure.For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table. To learn more about this release see the Release Notes and IAM documentation on Global Condition Keys.