AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-04-25 · Security-related medium

File: IAM/latest/UserGuide/id_root-user.md

Summary

Updated documentation to clarify account management requirements with AWS Organizations, emphasizing reduced need for root user credentials in member accounts and centralized management capabilities.

Security assessment

The changes highlight that AWS Organizations allows managing member accounts (e.g., closing accounts, updating root email) without root credentials, reducing reliance on privileged root access. This directly addresses security best practices by minimizing root user exposure, which mitigates risks associated with compromised root credentials.

Diff

diff --git a/IAM/latest/UserGuide/id_root-user.md b/IAM/latest/UserGuide/id_root-user.md
index 09495aebd..6f2a6c17b 100644
--- a//IAM/latest/UserGuide/id_root-user.md
+++ b//IAM/latest/UserGuide/id_root-user.md
@@ -61,0 +62,2 @@ To simplify managing privileged root user credentials across member accounts in
+  * [Change your AWS account settings.](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) Standalone AWS accounts that are not part of AWS Organizations require root credentials to update the email address, root user password, and root user access keys. Other account settings, such as account name, contact information, alternate contacts, payment currency preference, and AWS Regions, don't require root user credentials.
+
@@ -64 +66 @@ To simplify managing privileged root user credentials across member accounts in
-Closing a member account and changing the root user email address of a member account in AWS Organizations does not require root user credentials of the member account. These tasks do require root user credentials when performed on standalone accounts, the management account of an organization, or if a member account wishes to close itself.
+AWS Organizations, with all features enabled, can be used to manage member account settings centrally from the management account and delegated admin accounts. Authorized IAM users or IAM roles in both the management account and delegated admin accounts can close member accounts and update the root email addresses, account names, contact information, alternate contacts, and AWS Regions of member accounts. 
@@ -66 +68 @@ Closing a member account and changing the root user email address of a member ac
-  * [Change your account settings.](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html) This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials.
+  * [Close your AWS account.](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) Standalone AWS accounts that are not part of AWS Organizations require root credentials to close the account. With AWS Organizations, you can close the member accounts centrally from the management account and delegated admin accounts.
@@ -70,10 +71,0 @@ Closing a member account and changing the root user email address of a member ac
-  * [Close your AWS account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html).
-
-For more information, see the following topics:
-
-    * [How do I assign ownership of my AWS account to another entity?](https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/).
-
-    * [How do I close my AWS account?](https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/).
-
-    * [Close a standalone AWS account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html).
-