Today, AWS Control Tower launched landing zone version 3.3 which includes updates to AWS Control Tower-managed resources, resource-based policies, and controls. AWS Control Tower now supports the new AWS Identity and Access Management (IAM) launched global condition key, aws:SourceOrgID, which enables you to scalably allow AWS services to access your resources only on your behalf. With this new IAM capability, you can simplify management of your resource-based policies to require that AWS services access your resources only when the request originates from your organization or organizational unit (OU). For example, you can use the aws:SourceOrgID condition key and set the value to your organization ID in the condition element of your S3 bucket policy. This ensures that CloudTrail can only write logs on behalf of accounts within your organization to your S3 bucket, preventing CloudTrail logs outside your organization from writing to your S3 bucket. Landing zone version 3.3 also includes a new version of the Region Deny control and improved KMS drift reporting.
Source:: Amazon AWS