AWS IAM documentation change
Summary
Updated references from 'Organizations SCPs' to 'AWS Organizations SCPs' and clarified entity/console references
Security assessment
Changes involve branding/naming consistency updates (adding 'AWS' prefix to Organizations references) rather than addressing security vulnerabilities or adding security features. No evidence of security-related content changes.
Diff
diff --git a/IAM/latest/UserGuide/access_policies_boundaries.md b/IAM/latest/UserGuide/access_policies_boundaries.md index af87c8425..df8f6592d 100644 --- a//IAM/latest/UserGuide/access_policies_boundaries.md +++ b//IAM/latest/UserGuide/access_policies_boundaries.md @@ -53 +53 @@ This policy allows creating a user in IAM. If you attach this permissions policy -The permissions boundary for an IAM entity (user or role) sets the maximum permissions that the entity can have. This can change the effective permissions for that user or role. The effective permissions for an entity are the permissions that are granted by all the policies that affect the user or role. Within an account, the permissions for an entity can be affected by identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, or session policies. For more information about the different types of policies, see [Policies and permissions in AWS Identity and Access Management](./access_policies.html). +The permissions boundary for an IAM entity (user or role) sets the maximum permissions that the entity can have. This can change the effective permissions for that user or role. The effective permissions for an entity are the permissions that are granted by all the policies that affect the user or role. Within an account, the permissions for an entity can be affected by identity-based policies, resource-based policies, permissions boundaries, AWS Organizations SCPs, or session policies. For more information about the different types of policies, see [Policies and permissions in AWS Identity and Access Management](./access_policies.html). @@ -84 +84 @@ However, if a resource-based policy grants permission to the ARN of the IAM user -**Organizations SCPs** – SCPs are applied to an entire AWS account. They limit permissions for every request made by a principal within the account. An IAM entity (user or role) can make a request that is affected by an SCP, a permissions boundary, and an identity-based policy. In this case, the request is allowed only if all three policy types allow it. The effective permissions are the intersection of all three policy types. An explicit deny in any of these policies overrides the allow. +**AWS Organizations SCPs** – SCPs are applied to an entire AWS account. They limit permissions for every request made by a principal within the account. An IAM entity (user or role) can make a request that is affected by an SCP, a permissions boundary, and an identity-based policy. In this case, the request is allowed only if all three policy types allow it. The effective permissions are the intersection of all three policy types. An explicit deny in any of these policies overrides the allow. @@ -88 +88 @@ However, if a resource-based policy grants permission to the ARN of the IAM user -You can learn [whether your account is a member of an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_account) in AWS Organizations. Organization members might be affected by an SCP. To view this data using the AWS CLI command or AWS API operation, you must have permissions for the `organizations:DescribeOrganization` action for your Organizations entity. You must have additional permissions to perform the operation in the Organizations console. To learn whether an SCP is denying access to a specific request, or to change your effective permissions, contact your AWS Organizations administrator. +You can learn [whether your account is a member of an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_account) in AWS Organizations. Organization members might be affected by an SCP. To view this data using the AWS CLI command or AWS API operation, you must have permissions for the `organizations:DescribeOrganization` action for your AWS Organizations entity. You must have additional permissions to perform the operation in the AWS Organizations console. To learn whether an SCP is denying access to a specific request, or to change your effective permissions, contact your AWS Organizations administrator.