Posted On: Feb 9, 2023

Today AWS Control Tower is launching Landing Zone 3.1. A landing zone is a well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications. AWS Control Tower automates the setup of a new landing zone using AWS best-practices blueprints for identity, federated access, logging, monitoring, and account structure. Landing Zone 3.1 includes security best practice updates for Amazon Simple Storage Service (Amazon S3) access logging and updates to exceptions in the Region Deny control. 

Landing Zone version 3.1 disables unnecessary access logging on the S3 bucket where access logs are stored while continuing to enable server access logging for S3 buckets. This update aligns with the AWS Security Hub recommendation for Amazon S3 bucket server access logging. This version also includes updates to Region Deny that allow additional actions for global services such as AWS Support Plans and AWS Artifact. Certain global AWS services and service features are exempt from the region deny control. The region deny control prevents provisioning resources in unwanted AWS Regions by restricting access to AWS APIs through service control policies (SCPs) built and managed by AWS Control Tower. To see a full list of allowed actions, please see the Region deny control policy.

This new feature is available in all AWS Regions where AWS Control Tower is available. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table