AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-12-25 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/management-account.md

Summary

Updated documentation links, terminology, and service names. Changed 'AWS CloudTrail' to 'CloudTrail', updated delegated administrator URL, clarified IAM permissions language, and standardized security service names (e.g., 'IAM Identity Center' instead of 'AWS IAM Identity Center').

Security assessment

Changes are editorial improvements and terminology updates without evidence of addressing specific vulnerabilities. The modifications maintain existing security guidance about limiting management account access and using delegated administrators, but don't introduce new security concepts or address disclosed weaknesses.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/management-account.md b/prescriptive-guidance/latest/security-reference-architecture/management-account.md
index 20220ba59..66cf8be52 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/management-account.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/management-account.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html)
@@ -12 +12 @@ The management account (also called the AWS Organization Management account or O
-The management account deploys universal security guardrails through SCPs, RCPs, and service deployments (such as AWS CloudTrail) that will affect all member accounts in the AWS organization. To further restrict permissions in the management account, those permissions can be delegated to another appropriate account, such as a security account, where possible. 
+The management account deploys universal security guardrails through SCPs, RCPs, and service deployments (such as CloudTrail) that will affect all member accounts in the AWS organization. To further restrict permissions in the management account, those permissions can be delegated to another appropriate account, such as a security account, where possible.
@@ -16 +16 @@ The management account has the responsibilities of a payer account and is respon
-Because of the functionality and scope of influence the management account holds, we recommend that you limit access to this account and grant permissions only to roles that need them. Two features that help you do this are [trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) and [delegated administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_delegated_admin.html). You can use trusted access to enable an AWS service that you specify, called the _trusted service_ , to perform tasks in your AWS organization and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM entities. You can use trusted access to specify settings and configuration details that you would like the trusted service to maintain in your AWS organization's accounts on your behalf. For example, the [Org Management account](./org-management.html) section of the AWS SRA explains how to grant the AWS CloudTrail service trusted access to create a CloudTrail organization trail in all accounts in your AWS organization.
+Because of the functionality and scope of influence the management account holds, we recommend that you limit access to this account and grant permissions only to roles that need them. Two features that help you do this are [trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) and [delegated administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrated-services-list.html). You can use trusted access to enable an AWS service that you specify, called the _trusted service_ , to perform tasks in your AWS organization and its accounts on your behalf. This involves granting permissions to the trusted service but does not otherwise affect the permissions for IAM users or roles. You can use trusted access to specify settings and configuration details that you would like the trusted service to maintain in your AWS organization's accounts on your behalf. For example, the [Org Management account](./org-management.html) section of the AWS SRA explains how to grant the CloudTrail service trusted access to create a CloudTrail organization trail in all accounts in your AWS organization.
@@ -18 +18 @@ Because of the functionality and scope of influence the management account holds
-Some AWS services support the delegated administrator feature in AWS Organizations. With this feature, compatible services can register an AWS member account in the AWS organization as an administrator for the AWS organization's accounts in that service. This capability provides flexibility for different teams within your enterprise to use separate accounts, as appropriate for their responsibilities, to manage AWS services across the environment. The AWS security services in the AWS SRA that currently support delegated administrator include AWS IAM Identity Center (successor to AWS Single Sign-On), AWS Config, AWS Firewall Manager, Amazon GuardDuty, AWS IAM Access Analyzer, Amazon Macie, AWS Security Hub Cloud Security Posture Management (CSPM), Amazon Detective, AWS Audit Manager, Amazon Inspector, and AWS Systems Manager. Use of the delegated administrator feature is emphasized in the AWS SRA as a best practice, and we delegate administration of security-related services to the Security Tooling account.
+Some AWS services support the delegated administrator feature in AWS Organizations. With this feature _,_ compatible services can register an AWSmember account in the AWS organization as an administrator for the AWS organization's accounts in that service. This capability provides flexibility for different teams within your enterprise to use separate accounts, as appropriate for their responsibilities, to manage AWS services across the environment. The AWS security services in the AWS SRA that currently support delegated administrator include IAM Identity Center, AWS Config, AWS Firewall Manager, Amazon GuardDuty, IAM Access Analyzer, Amazon Macie, AWS Security Hub Cloud Security Posture Management (AWS Security Hub CSPM), Amazon Detective, AWS Audit Manager, Amazon Inspector, and AWS Systems Manager. Use of the delegated administrator feature is emphasized in the AWS SRA as a best practice, and we delegate administration of security-related services to the Security Tooling account.