AWS Control Tower now supports a new IAM global condition key, aws:SourceOrgID, which enables you to require that AWS services access your resources only when the request originates from your organization or organizational unit, enhancing security and policy management for your landing zone.

<div>
<p>The article discusses updates to AWS Control Tower's Landing Zone, which is a well-architected, multi-account AWS environment based on security and compliance best practices.</p>
<p>Specifically, the article covers:</p>
<ul>
<li>Introduction of a new IAM global condition key, aws:SourceOrgID, enabling AWS services to access resources only on behalf of the organization or OU</li>
<li>Example use case of using aws:SourceOrgID with S3 bucket policies to ensure CloudTrail logs can only be written by accounts within the organization</li>
<li>A new version of the Region Deny control and improved KMS drift reporting</li>
<li>Availability of AWS Control Tower in different AWS Regions and references to release notes and IAM documentation</li>
</ul>
</div>


AWS Control Tower Landing Zone updates managed policies and controls

Related articles