AWS organizations medium security documentation change
Summary
Added example CloudTrail log entries for EffectivePolicyValidation events (invalid and valid policy states)
Security assessment
The change documents how to identify invalid effective policies via CloudTrail logs, which helps detect misconfigurations that could lead to security risks. The example explicitly shows validation errors like exceeding policy limits, enabling proactive remediation.
Diff
diff --git a/organizations/latest/userguide/orgs_cloudtrail-integration.md b/organizations/latest/userguide/orgs_cloudtrail-integration.md index 33b8c8909..2a4cc1a2e 100644 --- a//organizations/latest/userguide/orgs_cloudtrail-integration.md +++ b//organizations/latest/userguide/orgs_cloudtrail-integration.md @@ -405,0 +406,84 @@ The following example shows a CloudTrail log entry for a sample `AttachPolicy` c +### Example log entry: Invalid effective policy + +The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization creates an invalid effective policy on any account. + + + { + "eventVersion": "1.11", + "userIdentity": { + "accountId": "111122223333", + "invokedBy": "AWS Internal" + }, + "eventTime": "2025-07-17T14:53:40Z", + "eventSource": "organizations.amazonaws.com", + "eventName": "EffectivePolicyValidation", + "awsRegion": "us-east-1", + "sourceIPAddress": "AWS Internal", + "userAgent": "AWS Internal", + "requestParameters": null, + "responseElements": null, + "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", + "readOnly": true, + "eventType": "AwsServiceEvent", + "managementEvent": true, + "recipientAccountId": "111111111111", + "serviceEventDetails": { + "accountId": "111111111111", + "policyType": "BACKUP_POLICY", + "state": "INVALID", + "requestTimestamp": "Jul 17, 2025, 2:53:40 PM", + "info": "All validation errors listed", + "validationErrors": [ + { + "accountPath": "o-aa111bb222/r-a1b2/111111111111/", + "evaluationTimestamp": "Jul 17, 2025, 2:53:40 PM", + "errorCode": "ELEMENTS_TOO_MANY", + "errorMessage": "'hourly_rule' exceeds the allowed maximum limit 10", + "pathToError": "plans/hourly-backup/rules/hourly_rule", + "contributingPolicies": [ + "p-examplepolicyid111" + ] + } + ] + }, + "eventCategory": "Management" + } + + + +### Example log entry: Valid effective policy + +The following example shows a CloudTrail log entry for a sample `EffectivePolicyValidation` event. This event is emitted to the management account of the organization whenever an update in the organization fixes an effective policy on an account which was invalid previously. + + + { + "eventVersion": "1.11", + "userIdentity": { + "accountId": "111111111111", + "invokedBy": "AWS Internal" + }, + "eventTime": "2025-07-17T14:54:40Z", + "eventSource": "organizations.amazonaws.com", + "eventName": "EffectivePolicyValidation", + "awsRegion": "us-east-1", + "sourceIPAddress": "AWS Internal", + "userAgent": "AWS Internal", + "requestParameters": null, + "responseElements": null, + "eventID": "EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE", + "readOnly": true, + "eventType": "AwsServiceEvent", + "managementEvent": true, + "recipientAccountId": "111111111111", + "serviceEventDetails": { + "accountId": "111111111111", + "policyType": "BACKUP_POLICY", + "state": "VALID", + "requestTimestamp": "Jul 17, 2025, 2:54:40 PM", + "info": "Previous effective policy validation error(s) resolved for this account/policyType" + }, + "eventCategory": "Management" + } + + +