AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-04-01 · Documentation low

File: solutions/latest/account-assessment-for-aws-organizations/use-the-solution.md

Summary

Updated documentation to introduce Policy Explorer feature, deprecate Resource-Based Policies scan, revise error explanations, and remove standalone MFA configuration note (now handled via Cognito UI).

Security assessment

The change adds documentation for Policy Explorer, which helps identify policies with organizational dependencies (security best practice). The removed MFA note does not indicate a vulnerability but shifts configuration responsibility to Cognito UI. AccessDenied error clarification improves security posture awareness.

Diff

diff --git a/solutions/latest/account-assessment-for-aws-organizations/use-the-solution.md b/solutions/latest/account-assessment-for-aws-organizations/use-the-solution.md
index 83e59e234..b93951a78 100644
--- a/solutions/latest/account-assessment-for-aws-organizations/use-the-solution.md
+++ b/solutions/latest/account-assessment-for-aws-organizations/use-the-solution.md
@@ -9,2 +8,0 @@ Login pageWelcome pageFindingsNext steps
-The following sections describe how to use this solution’s web UI.
-
@@ -26,5 +24 @@ At the email address you provided for the `Provide Web UI Login User Email` inpu
-You may also retrieve the web UI URL from the CloudFormation template outputs under `"WebUserInterfaceURL"`.
-
-###### Note
-
-If needed, you can [add multi-factor authentication (MFA) to a Cognito User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html).
+You may alternatively retrieve the web UI URL from the CloudFormation template outputs under `"WebUserInterfaceURL"`. To add or manage additional users, use the Cognito Service user interface in the AWS Console.
@@ -36,3 +30 @@ This page displays after you log in. If applicable, it shows your previous scan
-![Screenshot of welcome page](/images/solutions/latest/account-assessment-for-aws-organizations/images/image4.png)
-
-![Screenshot of welcome page showing most recent assessments](/images/solutions/latest/account-assessment-for-aws-organizations/images/image5.png)
+![Screenshot of welcome page](/images/solutions/latest/account-assessment-for-aws-organizations/images/welcome_page.png)
@@ -44 +36 @@ The left pane lists three types of assessments.
-  1. Resource-Based Polices
+  1. Resource-Based Polices (Deprecated, read-only page since v1.1.0)
@@ -57 +49 @@ Begin an assessment by selecting **Start Scan or download the table content as .
-You can run one active scan on each microservice at a time.
+You can run one active scan per assessment type at a time.
@@ -59 +51 @@ You can run one active scan on each microservice at a time.
-![Screenshot of Resource-Based Polices page](/images/solutions/latest/account-assessment-for-aws-organizations/images/image6.png)
+![Screenshot of Resource-Based Polices page](/images/solutions/latest/account-assessment-for-aws-organizations/images/delegated_admins.png)
@@ -61 +53 @@ You can run one active scan on each microservice at a time.
-![Screenshot of Delegated Admin Accounts page](/images/solutions/latest/account-assessment-for-aws-organizations/images/image18.png)
+![Screenshot of Delegated Admin Accounts page](/images/solutions/latest/account-assessment-for-aws-organizations/images/trusted_access.png)
@@ -63 +55 @@ You can run one active scan on each microservice at a time.
-![Screenshot of Trusted Accces page](/images/solutions/latest/account-assessment-for-aws-organizations/images/image17.png)
+### Policy Explorer
@@ -65 +57 @@ You can run one active scan on each microservice at a time.
-### Additional steps for Resource-Based Policies scan
+Beginning with Account Assessment v1.1.0, the Policy Explorer allows you to conduct nuanced searches for policies in your AWS Organization.
@@ -67 +59 @@ You can run one active scan on each microservice at a time.
-This assessment type offers you two ways to scan the resources in your AWS Organization.
+###### Note
@@ -69 +61 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-  1. Start a full scan of your AWS Organization:
+Policy Explorer runs a nightly scan for policies across your AWS Organization and stores a string representation of each policy in DynamoDB. Search results you see on the Policy Explorer page are not real-time, but based on the last successful scan. Consult the JobHistory page to find out when the last successful scan was conducted.
@@ -71 +63 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-    1. Select **Resource-Based Policies** in the left-hand menu.
+![Screenshot of Policy Explorer page](/images/solutions/latest/account-assessment-for-aws-organizations/images/policy_explorer.png)
@@ -73 +65 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-    2. Select the **Start Full Scan** button.
+You can search for policies
@@ -75 +67 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-![Screenshot of full scan](/images/solutions/latest/account-assessment-for-aws-organizations/images/image7.png)
+  * By type (Identity Based Policies, Resource Based Policies, Service Control Policies)
@@ -77 +69 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-  2. Scan specific AWS accounts, OUs, AWS Regions, or AWS services:
+  * By region. Use `GLOBAL` for region-independent policies
@@ -79 +71 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-    1. Select **Resource Based Policies** in the left-hand menu.
+  * By principal
@@ -81 +73 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-    2. Select specific AWS accounts, OUs, AWS Regions, or AWS services to scan.
+  * By action
@@ -83 +75 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-    3. Select the **Start Scan** button.
+  * By resource
@@ -85 +77 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-###### Note
+  * By condition
@@ -87 +79 @@ This assessment type offers you two ways to scan the resources in your AWS Organ
-If you plan to scan same configuration multiple times, you can name the configuration and load the same parameters by selecting the **Load existing configuration** radio button and entering a name.
+  * By effect (Allow, Deny or Both)
@@ -89 +80,0 @@ If you plan to scan same configuration multiple times, you can name the configur
-![Screenshot of configured scan](/images/solutions/latest/account-assessment-for-aws-organizations/images/image8.png)
@@ -92,0 +84,13 @@ If you plan to scan same configuration multiple times, you can name the configur
+The matching strategy is `string contains`, e.g. a search input like `us-` will match policies in all us regions. The search criteria is applied server-side. If your search is too broad, and the amount of result data exceeds what the frontend can handle, you will see a message asking you to narrow down the search with additional criteria.
+
+Use the `View Policies` button to see the full string representation of any policy.
+
+![Screenshot of Policy Explorer page](/images/solutions/latest/account-assessment-for-aws-organizations/images/view_policies.png)
+
+#### Dependencies on your AWS Organization
+
+A main use case of the "Resource-based Policy Scan" in Account Assessment prior to v1.1.0 was to find policies that contain a condition with the Organization ID, hinting at a policy that may break when the account is moved to a different AWS Organization.
+
+This use case is now covered by PolicyExplorer. To search for Policies that contain your Organizational ID in the condition, press the button `Add OrgId` which will prepopulate the `Condition` search input field with your Org ID. Leave all other fields blank.
+
+![Screenshot of Policy Explorer page](/images/solutions/latest/account-assessment-for-aws-organizations/images/org_dependencies.png)
@@ -111 +115,3 @@ Select the **Job ID** to view specific findings per job.
-![Screenshot of job history](/images/solutions/latest/account-assessment-for-aws-organizations/images/image9.png)
+![Screenshot of job history](/images/solutions/latest/account-assessment-for-aws-organizations/images/job_history.png)
+
+When you select the **Job ID** , the Job Details page displays the findings and any failed tasks during your selected job. You can use this information to help you identify the resource and errors. If the error states that a certain account/region/service/resource could not be scanned, that means that there may be possible findings which the solution was not able to assess. Use your judgement to decide how to proceed.
@@ -113 +119 @@ Select the **Job ID** to view specific findings per job.
-When you select the **Job ID** , the Job Details page displays the findings and any failed tasks during your selected job. You can use this information to help you identify the resource and errors.
+The AccessDenied error often hints at the fact that the SpokeRole of the Account Assessment solution was not installed in the respective account, so the solution has no permission to access the account in question for a scan.
@@ -115 +121 @@ When you select the **Job ID** , the Job Details page displays the findings and
-![Example job details for SUCCEEDED_WITH_FAILED_TASKS](/images/solutions/latest/account-assessment-for-aws-organizations/images/image10.png)
+![Example job details for SUCCEEDED_WITH_FAILED_TASKS](/images/solutions/latest/account-assessment-for-aws-organizations/images/failed_tasks.png)