AWS opensearch-service documentation change
Summary
Added documentation about service control policies (SCPs) and resource control policies (RCPs) in AWS Organizations
Security assessment
The changes add documentation about organizational policy types (SCPs/RCPs) that help enforce permission boundaries. While these are security-related features for access control, the update is explanatory rather than addressing a specific security issue. The documentation explains existing security controls rather than introducing new ones or fixing vulnerabilities.
Diff
diff --git a/opensearch-service/latest/developerguide/security-iam-serverless.md b/opensearch-service/latest/developerguide/security-iam-serverless.md index 8895139b3..51a4e1f83 100644 --- a//opensearch-service/latest/developerguide/security-iam-serverless.md +++ b//opensearch-service/latest/developerguide/security-iam-serverless.md @@ -5 +5 @@ -Identity-based policiesPolicy actionsPolicy resourcesPolicy condition keysABACTemporary credentialsService-linked rolesIdentity-based policy examples +Identity-based policiesPolicy actionsPolicy resourcesPolicy condition keysABACTemporary credentialsService-linked rolesOther policy typesIdentity-based policy examples @@ -26,0 +27,2 @@ AWS Identity and Access Management (IAM) is an AWS service that helps an adminis + * Other policy types + @@ -179,0 +182,11 @@ For details about creating and managing OpenSearch Serverless service-linked rol +## Other policy types + +AWS supports additional, less-common policy types. These policy types can set the maximum permissions granted to you by the more common policy types. + + * Service control policies (SCPs) – SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each AWS account root user. For more information about Organizations and SCPs, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the _AWS Organizations User Guide_. + + * Resource control policies (RCPs) – RCPs are JSON policies that you can use to set the maximum available permissions for resources in your accounts without updating the IAM policies attached to each resource that you own. The RCP limits permissions for resources in member accounts and can impact the effective permissions for identities, including the AWS account root user, regardless of whether they belong to your organization. For more information about Organizations and RCPs, including a list of AWS services that support RCPs, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the _AWS Organizations User Guide_. + + + +