AWS organizations medium security documentation change
Summary
Clarified IAM policy requirements for protecting accounts from closure, restructured examples, and added explicit note that SCPs cannot protect member accounts
Security assessment
The change explicitly warns that Service Control Policies (SCPs) cannot protect accounts from closure due to their limitations in affecting management account principals. This addresses a potential misconfiguration risk where users might incorrectly rely on SCPs for account protection. The documentation now provides clearer guidance on using IAM policies with explicit ARNs or tags to prevent accidental account closures.
Diff
diff --git a/organizations/latest/userguide/orgs_account_close_policy.md b/organizations/latest/userguide/orgs_account_close_policy.md index b6996c33b..e424ac5fa 100644 --- a//organizations/latest/userguide/orgs_account_close_policy.md +++ b//organizations/latest/userguide/orgs_account_close_policy.md @@ -9 +9 @@ Example IAM policies -If you want to protect a member account from accidental closure, you can create an IAM policy to specify which accounts are exempt from closure. Any member account protected with these policies can’t be closed. This can't be accomplished with an SCP, because they don't affect principals in the management account. +To protect member accounts from accidental closure, create an IAM policy that specifies which accounts are exempt. This policy prevents closure of protected member accounts. @@ -11 +11 @@ If you want to protect a member account from accidental closure, you can create -You can create an IAM policy that denies closing accounts in either of two ways: +Create an IAM policy to deny account closure using one of these methods: @@ -13 +13 @@ You can create an IAM policy that denies closing accounts in either of two ways: - * Explicitly list each account that you want to protect in the policy by including the `arn` in the `Resource` element. To see an example, see Prevent member accounts listed in this policy from getting closed. + * Explicitly list protected accounts in the policy's `Resource` element using their ARNs. @@ -15 +15 @@ You can create an IAM policy that denies closing accounts in either of two ways: - * Tag individual accounts to prevent them from getting closed. Use the `aws:ResourceTag` tag global condition key in your policy to prevent any account with the tag from being closed. To learn how to tag an account, see [Tagging Organizations resources](./orgs_tagging.html). To see an example, see Prevent member accounts with tags from getting closed . + * Tag individual accounts and use the `aws:ResourceTag` global condition key to prevent closure of tagged accounts. @@ -19,0 +20,4 @@ You can create an IAM policy that denies closing accounts in either of two ways: +###### Service control policies cannot protect member accounts + +Service Control Policies (SCPs) can't prtected member accounts because SCPs don't affect IAM principals in the management account. + @@ -24 +28,2 @@ The following code examples show two different methods you can use to restrict m -### Prevent member accounts with tags from getting closed +Prevent member accounts with tags from getting closed + @@ -44 +49,2 @@ You can attach the following policy to an identity in your management account. T -### Prevent member accounts listed in this policy from getting closed +Prevent member accounts listed in this policy from getting closed +