AWS AWSCloudFormation documentation change
Summary
Updated documentation about stack set targeting behavior and account filtering options
Security assessment
The change clarifies account targeting granularity in organizational deployments, including the ability to use account filters. This supports security best practices by enabling more precise access control, but doesn't address a specific known vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.md b/AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.md index 68feff313..ea209f9d2 100644 --- a//AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.md +++ b//AWSCloudFormation/latest/UserGuide/stacksets-orgs-associate-stackset-with-org.md @@ -28,3 +28 @@ Before you create a stack set with service-managed permissions, consider the fol - * Your stack set can target your entire organization or specified organizational units (OUs). If your stack set targets your organization, it also targets all accounts in all OUs in the organization. If your stack set targets specified OUs, it also targets all accounts in those OUs. - - * If your stack set targets a parent OU, the stack set also targets any child OUs. + * Your stack set can target your entire organization (includes all accounts) or specified organizational units (OUs). If your stack set targets a parent OU, it also targets any child OUs. When your stack set targets specific OUs, all accounts within those OUs are included by default. However, you can target specific accounts using account filter options.