AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2025-10-01 · Documentation low

File: organizations/latest/userguide/orgs_manage_policies_scps_evaluation.md

Summary

Updated image captions and alt-text to be more descriptive about SCP evaluation scenarios

Security assessment

Changes improve documentation clarity for existing security controls (SCPs) but don't introduce new security guidance or address vulnerabilities.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.md b/organizations/latest/userguide/orgs_manage_policies_scps_evaluation.md
index d729d2b4d..30195dd60 100644
--- a//organizations/latest/userguide/orgs_manage_policies_scps_evaluation.md
+++ b//organizations/latest/userguide/orgs_manage_policies_scps_evaluation.md
@@ -34 +34 @@ SCP evaluation follows a deny-by-default model, meaning that any permissions not
-![Organizational structure diagram showing Root, OU, and Member accounts with SCP permissions.](/images/organizations/latest/userguide/images/scp_allow_1.png)
+![Example organization structure with an Allow statement attached at Root, Production OU and Account B](/images/organizations/latest/userguide/images/scp_allow_1.png)
@@ -38 +38 @@ _Figure 1: Example organization structure with an`Allow` statement attached at R
-![Organizational structure with Root, OUs, and member accounts showing SCP allow and deny actions.](/images/organizations/latest/userguide/images/scp_allow_2.png)
+![Example organization structure with an Allow statement missing at Production OU and its impact on Account B](/images/organizations/latest/userguide/images/scp_allow_2.png)
@@ -48 +48 @@ For example, let’s say there is an SCP attached to the Production OU that has
-![Organizational structure showing Root, OUs, and member accounts with SCP permissions.](/images/organizations/latest/userguide/images/scp_deny_1.png)
+![Example organization structure with a Deny statement attached at Production OU and its impact on Account B](/images/organizations/latest/userguide/images/scp_deny_1.png)
@@ -123 +123 @@ This scenario demonstrates how deny policies at higher levels in the organizatio
-![](/images/organizations/latest/userguide/images/scp_scenario_1.png)
+![Scenario 1: Impact of Deny policies](/images/organizations/latest/userguide/images/scp_scenario_1.png)
@@ -129 +129 @@ This scenario shows how allow policies work in SCPs. For a service to be accessi
-![](/images/organizations/latest/userguide/images/scp_scenario_2.png)
+![Scenario 2: Allow policies must exist at every level](/images/organizations/latest/userguide/images/scp_scenario_2.png)
@@ -135 +135 @@ Missing an "Allow" statement at the root-level in an SCP is a critical misconfig
-![](/images/organizations/latest/userguide/images/scp_scenario_3.png)
+![Scenario 3: Impact of missing an Allow statement at the root-level](/images/organizations/latest/userguide/images/scp_scenario_3.png)
@@ -141 +141 @@ This scenario demonstrates a two-level deep OU structure. Both the Root and the
-![](/images/organizations/latest/userguide/images/scp_scenario_4.png)
+![Scenario 4: Layered Deny statements and resulting permissions](/images/organizations/latest/userguide/images/scp_scenario_4.png)
@@ -147 +147 @@ This scenario shows how allow policies can be used to restrict access to specifi
-![](/images/organizations/latest/userguide/images/scp_scenario_5.png)
+![Scenario 5: Allow policies at the OU-level to restrict service access](/images/organizations/latest/userguide/images/scp_scenario_5.png)
@@ -153 +153 @@ This scenario demonstrates that a deny policy at the root-level affects all acco
-![](/images/organizations/latest/userguide/images/scp_scenario_6.png)
+![Scenario 6: Root-level deny affects all accounts regardless of lower-level allows](/images/organizations/latest/userguide/images/scp_scenario_6.png)