AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2025-11-22 · Documentation low

File: organizations/latest/userguide/orgs_reference_available-policies.md

Summary

Updated URLs with double slashes and documented added IAM actions (GetPrimaryEmail, GetRegionOptStatus, etc.) to AWSOrganizationsReadOnlyAccess policy

Security assessment

The changes document expanded IAM permissions (including viewing root user emails), which relates to access control but does not indicate a security vulnerability fix. The updates are feature enhancements rather than addressing a specific security issue.

Diff

diff --git a/organizations/latest/userguide/orgs_reference_available-policies.md b/organizations/latest/userguide/orgs_reference_available-policies.md
index 9502893bd..5ba09bbd7 100644
--- a//organizations/latest/userguide/orgs_reference_available-policies.md
+++ b//organizations/latest/userguide/orgs_reference_available-policies.md
@@ -44,2 +44,2 @@ Change | Description | Date
-[DeclarativePoliciesEC2Report](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/DeclarativePoliciesEC2Report$jsonEditor) – New managed policy |  Added the `DeclarativePoliciesEC2Report` policy to enable the functionality of the `AWSServiceRoleForDeclarativePoliciesEC2Report` service-linked role. |  November 22, 2024  
-[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view a root user email address. |  Added the `account:GetPrimaryEmail` action to enable access to view the root user email address for any member account in an organization and the `account:GetRegionOptStatus`action to enable access to view the enabled Regions for any member account in an organization. |  June 6, 2024  
+[DeclarativePoliciesEC2Report](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/DeclarativePoliciesEC2Report$jsonEditor) – New managed policy |  Added the `DeclarativePoliciesEC2Report` policy to enable the functionality of the `AWSServiceRoleForDeclarativePoliciesEC2Report` service-linked role. |  November 22, 2024  
+[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view a root user email address. |  Added the `account:GetPrimaryEmail` action to enable access to view the root user email address for any member account in an organization and the `account:GetRegionOptStatus`action to enable access to view the enabled Regions for any member account in an organization. |  June 6, 2024  
@@ -47 +47 @@ Change | Description | Date
-[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to include `Sid` elements that describe the policy statement. |  Added `Sid` elements for the `AWSOrganizationsReadOnlyAccess` managed policy. |  February 6, 2024  
+[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to include `Sid` elements that describe the policy statement. |  Added `Sid` elements for the `AWSOrganizationsReadOnlyAccess` managed policy. |  February 6, 2024  
@@ -49 +49 @@ Change | Description | Date
-[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to list AWS Regions via the Organizations console. |  Added the `account:ListRegions` action to the policy to enable access to view Regions for an account. |  December 22, 2022  
+[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to list AWS Regions via the Organizations console. |  Added the `account:ListRegions` action to the policy to enable access to view Regions for an account. |  December 22, 2022  
@@ -51 +51 @@ Change | Description | Date
-[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view account contacts via the Organizations console. |  Added the `account:GetContactInformation` action to the policy to enable access to view contacts for an account. |  October 21, 2022  
+[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view account contacts via the Organizations console. |  Added the `account:GetContactInformation` action to the policy to enable access to view contacts for an account. |  October 21, 2022  
@@ -54 +54 @@ Change | Description | Date
-[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view account alternate contacts via the Organizations console. |  Added the `account:GetAlternateContact` action to the policy to enable access to view alternate contacts for an account. |  February 7, 2022  
+[AWSOrganizationsReadOnlyAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess$jsonEditor) – updated to allow account API permissions required to view account alternate contacts via the Organizations console. |  Added the `account:GetAlternateContact` action to the policy to enable access to view alternate contacts for an account. |  February 7, 2022