AWS network-manager documentation change
Summary
Clarified AWS Organizations context in multi-account role documentation by explicitly mentioning 'AWS Organizations' in member account references and management account description
Security assessment
Changes only add explicit references to AWS Organizations for clarity without introducing or modifying security controls. No evidence of addressing vulnerabilities or security incidents.
Diff
diff --git a/network-manager/latest/tgwnm/nm-custom-multi-role.md b/network-manager/latest/tgwnm/nm-custom-multi-role.md index 4e7ebd3f8..faad5df07 100644 --- a//network-manager/latest/tgwnm/nm-custom-multi-role.md +++ b//network-manager/latest/tgwnm/nm-custom-multi-role.md @@ -9 +9 @@ CloudWatch-CrossAccountSharingRoleIAMRoleForAWSNetworkManagerCrossAccountResourc -AWS Global Networks for Transit Gateways uses AWS CloudFormation StackSets to deploy and manage the following two custom IAM roles in member accounts to support multi-account permissions. These two roles are deployed to every member account in the organization when `AWSServiceAccess` is enabled (trusted access). For more information about multi-account, see [Manage multiple accounts in global networks using ](./nm-multi-account.html#tgw-nm-multi). +AWS Global Networks for Transit Gateways uses AWS CloudFormation StackSets to deploy and manage the following two custom IAM roles in AWS Organizations member accounts to support multi-account permissions. These two roles are deployed to every member account in the organization when `AWSServiceAccess` is enabled (trusted access). For more information about multi-account, see [Manage multiple accounts in global networks using AWS Organizations](./nm-multi-account.html#tgw-nm-multi). @@ -104 +104 @@ The following is the read-only role template. -When choosing the `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess` permission, an associated administrative or read-only template is also passed to AWS CloudFormation StackSets. These templates contain a list of accounts that are able to assume these roles. These accounts include the management account and all registered delegated administrators for the Network Manager service. Deregistering a delegated administrator removes it from this list so that it can no longer assume these roles. Disabling trusted access deletes the AWS CloudFormation StackSets, and in turn all member account stacks and custom IAM roles in those accounts that were StackSets-managed for multi-account. +When choosing the `IAMRoleForAWSNetworkManagerCrossAccountResourceAccess` permission, an associated administrative or read-only template is also passed to AWS CloudFormation StackSets. These templates contain a list of accounts that are able to assume these roles. These accounts include the AWS Organizations management account and all registered delegated administrators for the Network Manager service. Deregistering a delegated administrator removes it from this list so that it can no longer assume these roles. Disabling trusted access deletes the AWS CloudFormation StackSets, and in turn all member account stacks and custom IAM roles in those accounts that were StackSets-managed for multi-account.