AWS organizations documentation change
Summary
Restructured access methods documentation, moved 'Minimum permissions' section, and clarified sts:AssumeRole requirements
Security assessment
The changes emphasize proper IAM permissions (specifically sts:AssumeRole requirements) for cross-account access but do not address a specific security vulnerability. The updates improve security documentation by highlighting least-privilege principles without evidence of fixing an existing security issue.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_accounts_access.md b/organizations/latest/userguide/orgs_manage_accounts_access.md index 5c1930750..1056ada45 100644 --- a//organizations/latest/userguide/orgs_manage_accounts_access.md +++ b//organizations/latest/userguide/orgs_manage_accounts_access.md @@ -11 +11,11 @@ To access the accounts in your organization, you must use one of the following m -**Using the root user (Not recommended for everyday tasks)** +###### Minimum permissions + +To access an AWS account from any other account in your organization, you must have the following permission: + + * `sts:AssumeRole` – The `Resource` element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account + + + + +Using the root user (Not recommended for everyday tasks) + @@ -32 +42,2 @@ For the complete list of tasks that require you to sign in as the root user, see -**Using trusted access for IAM Identity Center** +Using trusted access for IAM Identity Center + @@ -38 +49,2 @@ For more information, see [Multi-account permissions](https://docs.aws.amazon.co -**Using the IAM role`OrganizationAccountAccessRole`** +Using the IAM role OrganizationAccountAccessRole + @@ -48,9 +59,0 @@ After you create the role, you can access it using the steps in [Accessing a mem -###### Minimum permissions - -To access an AWS account from any other account in your organization, you must have the following permission: - - * `sts:AssumeRole` – The `Resource` element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account - - - -