AWS IAM documentation change
Summary
Added detailed IAM permissions requirements for root access management and reorganized Organizations permissions
Security assessment
The change adds documentation about required permissions (including security-sensitive actions like sts:AssumeRoot) and recommends additional permissions for secure console operations. While this improves security documentation by clarifying least-privilege requirements, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/id_root-enable-root-access.md b/IAM/latest/UserGuide/id_root-enable-root-access.md index 3c7dbd3d7..313dbc77f 100644 --- a//IAM/latest/UserGuide/id_root-enable-root-access.md +++ b//IAM/latest/UserGuide/id_root-enable-root-access.md @@ -24,0 +25,18 @@ Before you centralize root access, you must have an account configured with the + * You must have the following IAM permissions: + + * `iam:GetAccessKeyLastUsed` + + * `iam:GetAccountSummary` + + * `iam:GetLoginProfile` + + * `iam:GetUser` + + * `iam:ListAccessKeys` + + * `iam:ListMFADevices` + + * `iam:ListSigningCertificates` + + * `sts:AssumeRoot` + @@ -35,2 +52,0 @@ Before you centralize root access, you must have an account configured with the - * `organizations:RegisterDelegatedAdministrator ` - @@ -40,0 +57,18 @@ Before you centralize root access, you must have an account configured with the + * `organizations:RegisterDelegatedAdministrator` + + * To ensure optimal console functionality, we recommend enabling the following additional permissions: + + * `organizations:DescribeAccount` + + * `organizations:DescribeOrganization` + + * `organizations:ListAWSServiceAccessForOrganization` + + * `organizations:ListDelegatedAdministrators` + + * `organizations:ListOrganizationalUnitsForParent` + + * `organizations:ListParents` + + * `organizations:ListTagsForResource` +