From 29a071c98e82d5a9941b311dd649742ef03ad491 Mon Sep 17 00:00:00 2001
From: Daniel Lorch <98748454+lorchda@users.noreply.github.com>
Date: Wed, 2 Feb 2022 13:36:02 +0100
Subject: [PATCH] docs(whitelist): Add examples for Control Tower resources
 (#1013)

---
 whitelist_sample.txt | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/whitelist_sample.txt b/whitelist_sample.txt
index a17829e3..7da90c0f 100644
--- a/whitelist_sample.txt
+++ b/whitelist_sample.txt
@@ -18,4 +18,12 @@ check26:myignoredbucket
 # REGEXES
 # This whitelist works with regexes (ERE, the same style of regex as grep -E and bash's =~ use)
 # therefore:
-# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
\ No newline at end of file
+# extra718:[[:alnum:]]+-logs # will ignore all buckets containing the terms ci-logs, qa-logs, etc.
+
+# EXAMPLE: CONTROL TOWER
+# When using Control Tower, guardrails prevent access to certain protected resources. The whitelist
+# below ensures that warnings instead of errors are reported for the affected resources.
+#extra734:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra734:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra764:aws-controltower-logs-[[:digit:]]+-[[:alpha:]\-]+
+#extra764:aws-controltower-s3-access-logs-[[:digit:]]+-[[:alpha:]\-]+
\ No newline at end of file