AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2025-04-25 · Documentation low

File: organizations/latest/userguide/orgs_manage_accounts_access.md

Summary

Restructured access methods documentation, moved 'Minimum permissions' section, and clarified sts:AssumeRole requirements

Security assessment

The changes emphasize proper IAM permissions (specifically sts:AssumeRole requirements) for cross-account access but do not address a specific security vulnerability. The updates improve security documentation by highlighting least-privilege principles without evidence of fixing an existing security issue.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_accounts_access.md b/organizations/latest/userguide/orgs_manage_accounts_access.md
index 5c1930750..1056ada45 100644
--- a//organizations/latest/userguide/orgs_manage_accounts_access.md
+++ b//organizations/latest/userguide/orgs_manage_accounts_access.md
@@ -11 +11,11 @@ To access the accounts in your organization, you must use one of the following m
-**Using the root user (Not recommended for everyday tasks)**
+###### Minimum permissions
+
+To access an AWS account from any other account in your organization, you must have the following permission:
+
+  * `sts:AssumeRole` – The `Resource` element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account 
+
+
+
+
+Using the root user (Not recommended for everyday tasks)
+    
@@ -32 +42,2 @@ For the complete list of tasks that require you to sign in as the root user, see
-**Using trusted access for IAM Identity Center**
+Using trusted access for IAM Identity Center
+    
@@ -38 +49,2 @@ For more information, see [Multi-account permissions](https://docs.aws.amazon.co
-**Using the IAM role`OrganizationAccountAccessRole`**
+Using the IAM role OrganizationAccountAccessRole
+    
@@ -48,9 +59,0 @@ After you create the role, you can access it using the steps in [Accessing a mem
-###### Minimum permissions
-
-To access an AWS account from any other account in your organization, you must have the following permission:
-
-  * `sts:AssumeRole` – The `Resource` element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account 
-
-
-
-