AWS Control Tower Landing Zone 4.0 introduces a flexible Controls-Only experience, allowing full programmatic setup and customization of multi-account environments.
Key Changes:
Optional Service Integrations - Choose which integrations to enable:
- AWS Config
- AWS CloudTrail
- Security Roles
- AWS Backup
Dedicated Resources - Better isolation with separate resources per service:
- Separate S3 buckets for AWS Config and CloudTrail
- Individual SNS topics for each service
Flexible Organization Structure - Removed previous requirements:
- No longer required to use a Security OU
- Define your own organizational structure
- All hub accounts must be in the same OU
Dedicated Controls Experience - Minimal landing zone setup:
- Basic AWS Organizations integration
- Enable controls without AWSControlTowerBaseline baseline
- Custom governance configurations
AWS Config Improvements:
- New Config spoke baseline for detective controls
- Service-linked Config aggregator (SLCA) in Config hub account
- Replaces traditional organization and account aggregators
Optional Manifest - Create landing zones without service integrations for maximum flexibility.
This release significantly changes how AWS Control Tower integrates with AWS services and manages organizational resources, providing the programmatic control that was missing for 8 years.
For migration details and full feature list, see the official documentation.