AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-04-03 · Documentation low

File: IAM/latest/UserGuide/access_policies_last-accessed.md

Summary

Updated documentation to consistently use 'AWS Organizations' instead of 'Organizations' throughout the file for service name accuracy

Security assessment

Changes are purely terminological clarifications to use the full service name 'AWS Organizations' rather than shorthand. No security vulnerabilities, mitigations, or new security features are mentioned or addressed.

Diff

diff --git a/IAM/latest/UserGuide/access_policies_last-accessed.md b/IAM/latest/UserGuide/access_policies_last-accessed.md
index 94fea6f7c..c09da7127 100644
--- a//IAM/latest/UserGuide/access_policies_last-accessed.md
+++ b//IAM/latest/UserGuide/access_policies_last-accessed.md
@@ -5 +5 @@
-Last accessed information types for IAMLast accessed information for AWS OrganizationsThings to know about last accessed informationPermissions requiredTroubleshoot activity for IAM and Organizations entitiesWhere AWS tracks last accessed information
+Last accessed information types for IAMLast accessed information for AWS OrganizationsThings to know about last accessed informationPermissions requiredTroubleshoot activity for IAM and AWS Organizations entitiesWhere AWS tracks last accessed information
@@ -23 +23 @@ You can continuously monitor last accessed information with unused access analyz
-  * Troubleshoot activity for IAM and Organizations entities
+  * Troubleshoot activity for IAM and AWS Organizations entities
@@ -29 +29 @@ You can continuously monitor last accessed information with unused access analyz
-  * [View last accessed information for Organizations](./access_policies_last-accessed-view-data-orgs.html)
+  * [View last accessed information for AWS Organizations](./access_policies_last-accessed-view-data-orgs.html)
@@ -48 +48 @@ To learn more about how the information for management actions is provided, see
-If you sign in using management account credentials, you can view service last accessed information for an AWS Organizations entity or policy in your organization. AWS Organizations entities include the organization root, organizational units (OUs), or accounts. Last accessed information for AWS Organizations includes information about services that are allowed by a service control policy (SCP). The information indicates which principals (root user, IAM user, or role) in an organization or account last attempted to access the service and when. To learn more about the report and how to view last accessed information for AWS Organizations, see [View last accessed information for Organizations](./access_policies_last-accessed-view-data-orgs.html).
+If you sign in using management account credentials, you can view service last accessed information for an AWS Organizations entity or policy in your organization. AWS Organizations entities include the organization root, organizational units (OUs), or accounts. Last accessed information for AWS Organizations includes information about services that are allowed by a service control policy (SCP). The information indicates which principals (root user, IAM user, or role) in an organization or account last attempted to access the service and when. To learn more about the report and how to view last accessed information for AWS Organizations, see [View last accessed information for AWS Organizations](./access_policies_last-accessed-view-data-orgs.html).
@@ -50 +50 @@ If you sign in using management account credentials, you can view service last a
-For example scenarios for using last accessed information to make decisions about the permissions that you grant to your Organizations entities, see [Example scenarios for using last accessed information](./access_policies_last-accessed-example-scenarios.html).
+For example scenarios for using last accessed information to make decisions about the permissions that you grant to your AWS Organizations entities, see [Example scenarios for using last accessed information](./access_policies_last-accessed-example-scenarios.html).
@@ -54 +54 @@ For example scenarios for using last accessed information to make decisions abou
-Before you use last accessed information from a report to change the permissions for an IAM identity or Organizations entity, review the following details about the information.
+Before you use last accessed information from a report to change the permissions for an IAM identity or AWS Organizations entity, review the following details about the information.
@@ -72 +72 @@ Action last accessed information is not available for any data plane event.
-  * **IAM resources** – The last accessed information for IAM includes IAM resources (roles, users, IAM groups, and policies) in your account. Last accessed information for Organizations includes principals (IAM users, IAM roles, or the AWS account root user) in the specified Organizations entity. The last accessed information does not include unauthenticated attempts.
+  * **IAM resources** – The last accessed information for IAM includes IAM resources (roles, users, IAM groups, and policies) in your account. Last accessed information for AWS Organizations includes principals (IAM users, IAM roles, or the AWS account root user) in the specified AWS Organizations entity. The last accessed information does not include unauthenticated attempts.
@@ -76 +76 @@ Action last accessed information is not available for any data plane event.
-  * **Organizations policy types** – The information for AWS Organizations includes only services that are allowed by an Organizations entity's inherited service control policies (SCPs). SCPs are policies attached to a root, OU, or account. Access allowed by other policy types is not included in your report. The excluded policy types include identity-based policies, resource-based policies, access control lists, IAM permissions boundaries, and session policies. To learn how the different policy types are evaluated to allow or deny access, see [Policy evaluation logic](./reference_policies_evaluation-logic.html).
+  * **AWS Organizations policy types** – The information for AWS Organizations includes only services that are allowed by an AWS Organizations entity's inherited service control policies (SCPs). SCPs are policies attached to a root, OU, or account. Access allowed by other policy types is not included in your report. The excluded policy types include identity-based policies, resource-based policies, access control lists, IAM permissions boundaries, and session policies. To learn how the different policy types are evaluated to allow or deny access, see [Policy evaluation logic](./reference_policies_evaluation-logic.html).
@@ -78 +78 @@ Action last accessed information is not available for any data plane event.
-  * **Specifying a policy ID** – When you use the AWS CLI or AWS API to generate a report for last accessed information in Organizations, you can optionally specify a policy ID. The resulting report includes information for the services that are allowed by only that policy. The information includes the most recent account activity in the specified Organizations entity or the entity's children. For more information, see [aws iam generate-organizations-access-report](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-organizations-access-report.html) or [GenerateOrganizationsAccessReport](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateOrganizationsAccessReport.html).
+  * **Specifying a policy ID** – When you use the AWS CLI or AWS API to generate a report for last accessed information in AWS Organizations, you can optionally specify a policy ID. The resulting report includes information for the services that are allowed by only that policy. The information includes the most recent account activity in the specified AWS Organizations entity or the entity's children. For more information, see [aws iam generate-organizations-access-report](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-organizations-access-report.html) or [GenerateOrganizationsAccessReport](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateOrganizationsAccessReport.html).
@@ -80 +80 @@ Action last accessed information is not available for any data plane event.
-  * **Organizations management account** – You must sign in to your organization's management account to view service last accessed information. You can choose to view information for the management account using the IAM console, the AWS CLI, or the AWS API. The resulting report lists all AWS services, because the management account is not limited by SCPs. If you specify a policy ID in the CLI or API, the policy is ignored. For each service, the report includes information for only the management account. However, reports for other Organizations entities do not return information for activity in the management account.
+  * **AWS Organizations management account** – You must sign in to your organization's management account to view service last accessed information. You can choose to view information for the management account using the IAM console, the AWS CLI, or the AWS API. The resulting report lists all AWS services, because the management account is not limited by SCPs. If you specify a policy ID in the CLI or API, the policy is ignored. For each service, the report includes information for only the management account. However, reports for other AWS Organizations entities do not return information for activity in the management account.
@@ -82 +82 @@ Action last accessed information is not available for any data plane event.
-  * **Organizations settings** – An administrator must [enable SCPs in your organization root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#enable_policies_on_root) before you can generate data for Organizations.
+  * **AWS Organizations settings** – An administrator must [enable SCPs in your organization root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#enable_policies_on_root) before you can generate data for AWS Organizations.
@@ -147 +147 @@ This example shows how you might create an identity-based policy that allows vie
-To use the IAM console to view a report for the root, OU, or account entities in Organizations, you must have a policy that includes the following actions:
+To use the IAM console to view a report for the root, OU, or account entities in AWS Organizations, you must have a policy that includes the following actions:
@@ -174 +174 @@ To use the IAM console to view a report for the root, OU, or account entities in
-To use the AWS CLI or AWS API to view service last accessed information for Organizations, you must have a policy that includes the following actions:
+To use the AWS CLI or AWS API to view service last accessed information for AWS Organizations, you must have a policy that includes the following actions:
@@ -195 +195 @@ To use the AWS CLI or AWS API to view service last accessed information for Orga
-This example shows how you might create an identity-based policy that allows viewing service last accessed information for Organizations. Additionally, it allows read-only access to all of Organizations. This policy defines permissions for programmatic and console access. 
+This example shows how you might create an identity-based policy that allows viewing service last accessed information for AWS Organizations. Additionally, it allows read-only access to all of AWS Organizations. This policy defines permissions for programmatic and console access. 
@@ -212 +212 @@ This example shows how you might create an identity-based policy that allows vie
-You can also use the [iam:OrganizationsPolicyId](./reference_policies_iam-condition-keys.html#ck_OrganizationsPolicyId) condition key to allow generating a report only for a specific Organizations policy. For an example policy, see [IAM: View service last accessed information for an Organizations policy](./reference_policies_examples_iam_service-accessed-data-orgs.html).
+You can also use the [iam:OrganizationsPolicyId](./reference_policies_iam-condition-keys.html#ck_OrganizationsPolicyId) condition key to allow generating a report only for a specific AWS Organizations policy. For an example policy, see [IAM: View service last accessed information for an AWS Organizations policy](./reference_policies_examples_iam_service-accessed-data-orgs.html).
@@ -214 +214 @@ You can also use the [iam:OrganizationsPolicyId](./reference_policies_iam-condit
-## Troubleshoot activity for IAM and Organizations entities
+## Troubleshoot activity for IAM and AWS Organizations entities
@@ -232 +232 @@ In some cases, your AWS Management Console last accessed information table might
-  * For an Organizations entity (root, OU, or account), make sure that you are signed using Organizations management account credentials.
+  * For an AWS Organizations entity (root, OU, or account), make sure that you are signed using AWS Organizations management account credentials.