Posted On: Jul 28, 2022

AWS Control Tower now helps reduce redundant AWS Config configuration items by limiting recording of global resources to home Regions only. Previously, AWS Control Tower configured AWS Config to record global resources in all Regions. Since global resources are not tied to a specific AWS Region, changes to global resources are identical across Regions. Limiting recording for global resources (such as IAM users, groups, roles, and customer managed polices) means redundant copies of global resource changes are no longer stored in every Region. This update brings resource recording into conformance with AWS Config best practices. A full list of global resources is available in AWS Config documentation.

Existing AWS Control Tower landing zones can adopt this change by first updating to the latest landing zone version, then re-registering each Organizational Unit. Accounts that are not enrolled with AWS Control Tower will be unaffected by this change. You can enroll accounts in AWS Control Tower through single account enrollment or extended governance. After enrolling new accounts or updating your existing accounts, global resources will only be recorded in the home Region selected during AWS Control Tower landing zone set up.

For a full list of regions supported by AWS Control Tower, see the AWS Region Table. To learn more, visit the AWS Control Tower homepage or AWS Documentation.