{"slug":"iam-aws-controltower","cloud":"aws","service":"controltower","title":"AWS Control Tower (IAM)","description":"AWS Control Tower provides a pre-configured, secure, multi-account AWS environment based on best practices and governance rules.","category":"management","common_permissions":["controltower:GetLandingZone","controltower:ListLandingZones","controltower:GetEnabledControl","controltower:ListEnabledControls","controltower:GetBaseline","controltower:ListBaselines","controltower:GetHomeRegion","controltower:ListGuardrails"],"least_privilege_example":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"controltower:GetLandingZone\",\n        \"controltower:ListLandingZones\",\n        \"controltower:GetEnabledControl\",\n        \"controltower:ListEnabledControls\",\n        \"controltower:GetBaseline\",\n        \"controltower:ListBaselines\",\n        \"controltower:GetHomeRegion\",\n        \"controltower:ListGuardrails\"\n      ],\n      \"Resource\": \"*\"\n    }\n  ]\n}","warnings":["Avoid controltower:* — grants full control including creating, updating, and deleting landing zones and baselines","Avoid controltower:CreateLandingZone and controltower:DeleteLandingZone — can disrupt the entire multi-account governance structure"],"docs":"https://servicereference.us-east-1.amazonaws.com/v1/controltower/controltower.json","tags":["iam","aws"],"last_verified":"2026-06-14T00:00:00.000Z","next_check":"2026-12-11T00:00:00.000Z","created_at":"2026-06-14T04:51:18.801Z","updated_at":"2026-06-14T04:51:18.801Z"}