Posted On: Feb 10, 2022
Today, we are announcing new functionality in AWS Control Tower to align AWS Control Tower with recent updates to the AWS Foundational Security Best Practices. As new best practices and controls are identified and developed, it is periodically necessary for AWS Control Tower to add functionality to ensure that your AWS accounts and workloads are in alignment. The new functionality in this release includes support for lifecycle policy and access logging for the access log bucket as well as adding a dead letter queue for Lambda functions. Additionally, this release updates AWS Control Tower to use AWS Config’s Service Linked Role to setup and manage Config rules to match AWS Config best practices. This change will streamline the AWS Control Tower KMS configuration process for encrypting Config data and improve the related status messaging in CloudTrail.
This release also includes an update to the Region deny guardrail which is used to deny services and operations in your Control Tower environments for the AWS Region(s) of your choice. This update excludes Amazon Route 53 Application Recovery Controller from being denied because it is a global service. Amazon Route 53 Application Recovery Controller gives you insights into whether your applications and resources are ready for recovery, and helps you manage and coordinate failover using readiness check and routing control features. To learn more about Region deny, including which AWS services are exempt, see documentation on Guardrail Reference.
To implement the new best practices or to update your Region Deny guardrail, you can perform a landing zone update by going to the Landing Zone Settings page in your AWS Control Tower dashboard, selecting the 2.8 version and clicking the Update button. After updating your landing zone, you must then update all accounts that are governed by AWS Control Tower.
Addendum: On February 15, 2022, we removed the dead letter queue for AWS Lambda functions.