AWS security-ir medium security documentation change
Summary
Added compliance updates (HITRUST coverage), visibility/control updates, billing clarifications, and a new service role policy with additional actions and resource account condition
Security assessment
The added service role policy condition (aws:ResourceAccount matching principal account) enforces resource isolation, preventing cross-account access risks. The HITRUST compliance update also adds security framework documentation.
Diff
diff --git a/security-ir/latest/userguide/document-history-for-the-aws-security-incident-response-user-guide.md b/security-ir/latest/userguide/document-history-for-the-aws-security-incident-response-user-guide.md index 1bcec73d6..48ca31d5f 100644 --- a//security-ir/latest/userguide/document-history-for-the-aws-security-incident-response-user-guide.md +++ b//security-ir/latest/userguide/document-history-for-the-aws-security-incident-response-user-guide.md @@ -8,0 +9,12 @@ Change | Description | Date +Compliance and Billing Lanugage Updates | Updated [Removed statement that AWS Security Incident Response is not covered under any frameworks. AWS Security Incident Response is now covered under HITRUST with more to come in the future.](https://docs.aws.amazon.com/security-ir/latest/userguide/compliance-validation.html) Updated [Visiblity and Control](https://docs.aws.amazon.com/security-ir/latest/userguide/visibility-and-alerting.html) to add AWS Security Incident Response Updated [Cancel Membership](https://docs.aws.amazon.com/security-ir/latest/userguide/cancel-membership.html) to clarify service billing periods. Added a video to [Getting Started](https://docs.aws.amazon.com/security-ir/latest/userguide/getting-started.html) that provides additional context for typical tasks to begin using AWS Security Incident Response. | August 15, 2025 +Updated – [AWSSecurityIncidentResponseServiceRolePolicy](./aws-managed-policies.html#AWSSecurityIncidentResponseServiceRolePolicy) | The policy now includes two new actions for `"organizations:DescribeAccount"`, `"organizations:ListDelegatedAdministrators"` and a new condition: + + + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + + +| TBD