AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-04-18 · Documentation medium

File: AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md

Summary

Added organization configuration considerations and expanded IAM policy details for AWS Config aggregator

Security assessment

Adds documentation about required permissions and security best practices for organization access, but does not address a specific vulnerability

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md b/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md
index da6c17e37..ebb096c0c 100644
--- a//AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md
+++ b//AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.md
@@ -173,0 +174,11 @@ The following example creates a `ConfigurationAggregator` for an organization.
+**Considerations**
+
+  * The aggregator account must be the management account or a delegated administrator account in the organization
+
+  * AWS Config must be enabled with proper service access in the organization
+
+  * The role must have proper permissions to call AWS Organizations APIs
+
+
+
+
@@ -195 +206,3 @@ The following example creates a `ConfigurationAggregator` for an organization.
-            "ManagedPolicyArns": "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations",
+            "ManagedPolicyArns": [
+                "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations"
+            ],
@@ -207,0 +221,17 @@ The following example creates a `ConfigurationAggregator` for an organization.
+            },
+            "Policies": [
+                {
+                    "PolicyName": "OrganizationAccess",
+                    "PolicyDocument": {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Effect": "Allow",
+                                "Action": [
+                                    "organizations:DescribeOrganization",
+                                    "organizations:ListAWSServiceAccessForOrganization",
+                                    "organizations:ListAccounts"
+                                ],
+                                "Resource": "*"
+                            }
+                        ]
@@ -209,0 +240,2 @@ The following example creates a `ConfigurationAggregator` for an organization.
+            ]
+        }
@@ -240,0 +273,11 @@ The following example creates a `ConfigurationAggregator` for an organization.
+            Policies:
+                - PolicyName: OrganizationAccess
+                  PolicyDocument:
+                    Version: "2012-10-17"
+                    Statement:
+                        - Effect: Allow
+                          Action:
+                            - organizations:DescribeOrganization
+                            - organizations:ListAWSServiceAccessForOrganization
+                            - organizations:ListAccounts
+                          Resource: "*"