AWS AWSCloudFormation documentation change
Summary
Added organization configuration considerations and expanded IAM policy details for AWS Config aggregator
Security assessment
Adds documentation about required permissions and security best practices for organization access, but does not address a specific vulnerability
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md b/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md index da6c17e37..ebb096c0c 100644 --- a//AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md +++ b//AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md @@ -173,0 +174,11 @@ The following example creates a `ConfigurationAggregator` for an organization. +**Considerations** + + * The aggregator account must be the management account or a delegated administrator account in the organization + + * AWS Config must be enabled with proper service access in the organization + + * The role must have proper permissions to call AWS Organizations APIs + + + + @@ -195 +206,3 @@ The following example creates a `ConfigurationAggregator` for an organization. - "ManagedPolicyArns": "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations", + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations" + ], @@ -207,0 +221,17 @@ The following example creates a `ConfigurationAggregator` for an organization. + }, + "Policies": [ + { + "PolicyName": "OrganizationAccess", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "organizations:DescribeOrganization", + "organizations:ListAWSServiceAccessForOrganization", + "organizations:ListAccounts" + ], + "Resource": "*" + } + ] @@ -209,0 +240,2 @@ The following example creates a `ConfigurationAggregator` for an organization. + ] + } @@ -240,0 +273,11 @@ The following example creates a `ConfigurationAggregator` for an organization. + Policies: + - PolicyName: OrganizationAccess + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - organizations:DescribeOrganization + - organizations:ListAWSServiceAccessForOrganization + - organizations:ListAccounts + Resource: "*"