AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-12-25 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/org-management.md

Summary

Updated AWS Organizations documentation with corrected links, terminology changes (e.g., 'IAM entities' to 'IAM principals'), and improved formatting. Enhanced explanations of SCPs, RCPs, declarative policies, and IAM Identity Center. Fixed broken links and updated AWS Control Tower references.

Security assessment

Changes focus on improving accuracy and clarity of existing security documentation. Updates include security features like SCPs, RCPs, IMDSv2 enforcement, and IAM least privilege strategies. No evidence of specific vulnerability fixes; changes are routine documentation improvements.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/org-management.md b/prescriptive-guidance/latest/security-reference-architecture/org-management.md
index c0ac342b9..7aeda8f9d 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/org-management.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/org-management.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html)
@@ -14 +14 @@ The following diagram illustrates the AWS security services that are configured
-![Security services for Org Management account](/images/prescriptive-guidance/latest/security-reference-architecture/images/org-management-acct.png)
+![Security services for Org Management account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/org-management-acct.png)
@@ -20 +20 @@ The sections [Using AWS Organizations for security](./organizations-security.htm
-With [AWS Organizations](https://aws.amazon.com/organizations/), you can centrally manage policies across multiple AWS accounts. For example, you can apply [service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) (SCPs) across multiple AWS accounts that are members of an organization. SCPs allow you to define which AWS service APIs can and cannot be run by [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) entities (such as IAM users and roles) in your organization's member AWS accounts. SCPs are created and applied from the Org management account, which is the AWS account that you used when you created your organization. Read more about SCPs in the [Using AWS Organizations for security](./organizations-security.html) section earlier in this reference. 
+With [AWS Organizations](https://aws.amazon.com/organizations/), you can centrally manage policies across multiple AWS accounts. For example, you can apply [service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html) (SCPs) across multiple AWS accounts that are members of an organization. SCPs allow you to define which AWS service APIs can and cannot be run by [IAM](https://aws.amazon.com/iam/) principals (such as IAM users and roles) in your organization's member AWS accounts. SCPs are created and applied from the Org Management account, which is the AWS account that you used when you created your organization. Read more about SCPs in the [Using AWS Organizations for security](./organizations-security.html) section earlier in this reference. 
@@ -22 +22 @@ With [AWS Organizations](https://aws.amazon.com/organizations/), you can central
-If you use AWS Control Tower to manage your AWS organization, it will deploy a set of SCPs as preventative guardrails (categorized as mandatory, strongly recommended, or elective). These guardrails help you govern your resources by enforcing organization-wide security controls. These SCPs automatically use an aws-control-tower tag that has a value of managed-by-control-tower. 
+If you use AWS Control Tower to manage your AWS organization, it will deploy [a set of SCPs as preventive guardrails](https://docs.aws.amazon.com/controltower/latest/userguide/guardrails-reference.html) (categorized as mandatory, strongly recommended, or elective). These guardrails help you govern your resources by enforcing organization-wide security controls. These SCPs automatically use an aws-control-tower tag that has a value of managed-by-control-tower.
@@ -26,4 +26 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-  * SCPs affect only _member_ accounts in the AWS organization. Although they are applied from the Org Management account, they have no effect on users or roles in that account. To learn about how SCP evaluation logic works, and to see examples of recommended structures, see the AWS blog post [How to Use Service Control Policies in AWS Organizations](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/).
-
-
-
+SCPs affect only _member_ accounts in the AWS organization. Although they are applied from the Org Management account, they have no effect on users or roles in that account. To learn about how SCP evaluation logic works, and to see examples of recommended structures, see the AWS blog post [How to use service control policies in AWS Organizations](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/).
@@ -33 +30 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-Resource control policies (RCPs) offer centralized control over the maximum available permissions for resources in your organization. An RCP defines a permissions guardrail or sets limits on the actions that identities can take on resources in your organization. You can use RCPs to restrict who can access your resources and enforce requirements on how your resources can be accessed in your organization's member AWS accounts. You can attach RCPs directly to individual accounts, OUs, or the organization root. For a detailed explanation of how RCPs work, see [RCP evaluation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_evaluation.html) in the AWS Organizations documentation. Read more about RCPs in the [Using AWS Organizations for security](./organizations-security.html) section earlier in this reference.
+[Resource control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) (RCPs) offer centralized control over the maximum available permissions for resources in your organization. An RCP defines a permissions guardrail or sets limits on the actions that identities can take on resources in your organization. You can use RCPs to restrict who can access your resources and enforce requirements on how your resources can be accessed in your organization's member AWS accounts. You can attach RCPs directly to individual accounts, OUs, or the organization root. For a detailed explanation of how RCPs work, see [RCP evaluation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_evaluation.html) in the AWS Organizations documentation. Read more about RCPs in the [Using AWS Organizations for security](./organizations-security.html) section earlier in this reference.
@@ -39 +36 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-  * RCPs affect only resources in member accounts in the organization. They have no effect on resources in the management account. This also means that RCPs apply to member accounts that are designated as delegated administrators.
+  * RCPs affect only resources in ** _member_** accounts in the organization. They have no effect on resources in the management account. This also means that RCPs apply to member accounts that are designated as delegated administrators.
@@ -41 +38 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-  * RCPs apply to resources for a subset of AWS services. For more information, see [List of AWS services that support RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services) in the AWS Organizations documentation. You can use [AWS Config Rules](https://aws.amazon.com/config/) and [AWS Lambda functions](https://aws.amazon.com/pm/lambda/) to monitor and automate the enforcement of security controls on resources that aren’t currently supported by RCPs.
+  * RCPs apply to resources for a subset of AWS services. For more information, see [List of AWS services that support RCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html#rcp-supported-services) in the AWS Organizations documentation. You can use [AWS Config Rules](https://aws.amazon.com/config/) and [AWS Lambda functions](https://aws.amazon.com/pm/lambda/) to monitor and automate the enforcement of security controls on resources that aren't currently supported by RCPs.
@@ -48 +45 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-A declarative policy is a type of AWS Organizations management policy that helps you centrally declare and enforce your desired configuration for a given AWS service at scale across an organization. Declarative policies currently support [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/), [Amazon Virtual Private Cloud (Amazon VPC)](https://aws.amazon.com/vpc/), and [Amazon Elastic Block Store (Amazon EBS)](https://aws.amazon.com/ebs/) services. Available service attributes include enforcing Instance Metadata Service Version 2 (IMDSv2), allowing troubleshooting though the EC2 serial console, allowing [Amazon Machine Image (AMI)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) settings, and blocking public access for Amazon EBS snapshots, Amazon EC2 AMIs, and Amazon VPC resources. For the latest supported services and attributes, see Declarative policies in the AWS Organizations documentation.
+A declarative policy is a type of AWS Organizations management policy that helps you centrally declare and enforce your desired configuration for a given AWS service at scale across an organization. Declarative policies currently support [Amazon EC2](https://aws.amazon.com/ec2/), [Amazon VPC](https://aws.amazon.com/vpc/), and [Amazon EBS](https://aws.amazon.com/ebs/) services. Available service attributes include enforcing Instance Metadata Service Version 2 (IMDSv2), allowing troubleshooting though the EC2 serial console, allowing [Amazon Machine Image (AMI)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) settings, and blocking public access for Amazon EBS snapshots, Amazon EC2 AMIs, and Amazon VPC resources. For the latest supported services and attributes, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html#orgs_manage_policies_declarative-supported-controls) in the AWS Organizations documentation.
@@ -52 +49 @@ You can enforce the baseline configuration for an AWS service by making a few se
-You can use declarative policies to create custom error messages. For example, if an API operation fails because of a declarative policy, you can set the error message or provide a custom URL—such as a link to an internal wiki or a link to a message that describes the failure. This helps provide users with more information so they can troubleshoot the issue themselves. You can also audit the process of creating declarative policies, updating declarative policies, and deleting declarative policies by using AWS CloudTrail.
+You can use declarative policies to create custom error messages. For example, if an API operation fails because of a declarative policy, you can set the error message or provide a custom URL―such as a link to an internal wiki or a link to a message that describes the failure. This helps provide users with more information so they can troubleshoot the issue themselves. You can also audit the process of creating declarative policies, updating declarative policies, and deleting declarative policies by using AWS CloudTrail.
@@ -54 +51 @@ You can use declarative policies to create custom error messages. For example, i
-Declarative policies provide _account status reports_ , which enable you to review the current status of all attributes that are supported by declarative policies for the accounts in scope. You can choose the accounts and OUs to include in the report scope or choose an entire organization by selecting the root. This report helps you assess readiness by providing a breakdown by AWS Region and specifying whether the current state of an attribute is  _uniform across accounts_ (through the `numberOfMatchedAccounts` value) or  _inconsistent across accounts_ (through the `numberOfUnmatchedAccounts` value).
+Declarative policies provide _account status reports,_ which enable you to review the current status of all attributes that are supported by declarative policies for the accounts in scope. You can choose the accounts and OUs to include in the report scope or choose an entire organization by selecting the root. This report helps you assess readiness by providing a breakdown by AWS Region and specifying whether the current state of an attribute is  _uniform across accounts_ (through the `numberOfMatchedAccounts` value) or  _inconsistent_  _across accounts_ (through the `numberOfUnmatchedAccounts` value).
@@ -58,4 +55 @@ Declarative policies provide _account status reports_ , which enable you to revi
-  * When you configure a service attribute by using a declarative policy, the policy might impact multiple APIs. Any noncompliant actions will fail. Account administrators will not be able to modify the value of the service attribute at the individual account level.
-
-
-
+When you configure a service attribute by using a declarative policy, the policy might impact multiple APIs. Any noncompliant actions will fail. Account administrators will not be able to modify the value of the service attribute at the individual account level.
@@ -78 +72 @@ For centralized root credential management, you need to enable root credential m
-[AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) (successor to AWS Single Sign-On) is an identity federation service that helps you centrally manage SSO access to all your AWS accounts, principals, and cloud workloads. IAM Identity Center also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications. Identity providers integrate with IAM Identity Center by using SAML 2.0. Bulk and just-in-time provisioning can be done by using the System for Cross-Domain Identity Management (SCIM). IAM Identity Center can also integrate with on-premises or AWS-managed Microsoft Active Directory (AD) domains as an identity provider through the use of AWS Directory Service. IAM Identity Center includes a user portal where your end-users can find and access their assigned AWS accounts, roles, cloud applications, and custom applications in one place.
+[AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) is an identity federation service that helps you centrally manage SSO access to all your AWS accounts, principals, and cloud workloads. IAM Identity Center also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications. Identity providers integrate with IAM Identity Center by using SAML 2.0. Bulk and just-in-time provisioning can be done by using the System for Cross-Domain Identity Management (SCIM). IAM Identity Center can also integrate with on-premises or AWS-managed Microsoft Active Directory (AD) domains as an identity provider through the use of AWS Directory Service. IAM Identity Center includes a user portal where your end-users can find and access their assigned AWS accountsIAM Identity Center, roles, cloud applications, and custom applications in one place.
@@ -80 +74 @@ For centralized root credential management, you need to enable root credential m
-IAM Identity Center natively integrates with AWS Organizations and runs in the Org Management account by default. However, to exercise least privilege and tightly control access to the management account, IAM Identity Center administration can be delegated to a specific member account. In the AWS SRA, the Shared Services account is the delegated administrator account for IAM Identity Center. Before you enable delegated administration for IAM Identity Center, review [these considerations](https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/#_Considerations_when_delegating). You will find more information about delegation in the [Shared Services account](./shared-services.html) section. Even after you enable delegation, IAM Identity Center still needs to run in the Org Management account to perform certain [IAM Identity Center related tasks](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-tasks-member-account), which include managing permission sets that are provisioned in the Org Management account. 
+IAM Identity Center natively integrates with AWS Organizations and runs in the Org Management account by default. However, to exercise least privilege and tightly control access to the management account, IAM Identity Center administration can be delegated to a specific member account. In the AWS SRA, the Shared Services account is the delegated administrator account for IAM Identity Center. Before you enable delegated administration for IAM Identity Center, review [these considerations](https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/#_Considerations_when_delegating). You will find more information about delegation in the [Shared Services account](./shared-services.html) section. Even after you enable delegation, IAM Identity Center still needs to run in the Org Management account to perform certain [IAM Identity Center-related tasks](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-tasks-member-account), which include managing permission sets that are provisioned in the Org Management account. 
@@ -86 +80 @@ IAM Identity Center includes an identity store where specific user information m
-  * **IAM Identity Center Identity store –** Choose this option if the following two options are not available. Users are created, group assignments are made, and permissions are assigned in the identity store. Even if your authoritative source is external to IAM Identity Center, a copy of principal attributes will be stored with the identity store.
+  * **IAM Identity Center identity store –** Choose this option if the following two options are not available. Users are created, group assignments are made, and permissions are assigned in the identity store. Even if your authoritative source is external to IAM Identity Center, a copy of principal attributes will be stored with the identity store.
@@ -99,4 +93 @@ You can rely on an existing IdP that is already in place within your enterprise.
-  * Use an external IdP if that option is available to your enterprise. If your IdP supports System for Cross-Domain Identity Management (SCIM), take advantage of the SCIM capability in IAM Identity Center to automate user, group, and permission provisioning (synchronization). This allows AWS access to stay in sync with your corporate workflow for new hires, employees who are moving to another team, and employees who are leaving the company. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. However, you can switch to another identity provider. 
-
-
-
+Use an external IdP if that option is available to your enterprise. If your IdP supports System for Cross-domain Identity Management (SCIM), take advantage of the SCIM capability in IAM Identity Center to automate user, group, and permission provisioning (synchronization). This allows AWS access to stay in sync with your corporate workflow for new hires, employees who are moving to another team, and employees who are leaving the company. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. However, you can switch to another identity provider.
@@ -106 +97 @@ You can rely on an existing IdP that is already in place within your enterprise.
-IAM access advisor provides traceability data in the form of service last accessed information for your AWS accounts and OUs. Use this detective control to contribute to a [least privilege strategy](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). For IAM entities, you can view two types of last accessed information: allowed AWS service information and allowed action information. The information includes the date and time when the attempt was made. 
+IAM access advisor provides traceability data in the form of service last accessed information for your AWS accounts and OUs. Use this detective control to contribute to a [least privilege strategy](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). For IAM principals, you can view two types of last accessed information: allowed AWS service information and allowed action information. The information includes the date and time when the attempt was made.
@@ -108 +99 @@ IAM access advisor provides traceability data in the form of service last access
-IAM access within the Org Management account lets you view service last accessed data for the Org Management account, OU, member account, or IAM policy in your AWS organization. This information is available in the IAM console within the management account and can also be obtained programmatically by using IAM access advisor APIs in AWS Command Line Interface (AWS CLI) or a programmatic client. The information indicates which principals in an organization or account last attempted to access the service and when. Last accessed information provides insight for actual service usage (see [example scenarios](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed-example-scenarios.html)), so you can reduce IAM permissions to only those services that are actually used.
+IAM access within the Org Management account lets you view service last accessed data for the Org Management account, OU, member account, or IAM policy in your AWS organization. This information is available in the IAM console within the management account and can also be obtained programmatically by using IAM access advisor APIs in AWS CLI or a programmatic client. The information indicates which principals in an organization or account last attempted to access the service and when. Last accessed information provides insight for actual service usage (see [example scenarios](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-example-scenarios.html)), so you can reduce IAM permissions to only those services that are actually used.
@@ -118 +109 @@ Quick Setup and Explorer, which are capabilities of [AWS Systems Manager](https:
-The [Workloads OU](./application.html) section later in this guide discusses the use of the Systems Manager Agent (SSM Agent) on the EC2 instances in the Application account.
+The [Workloads OU](./application.html) section later in this guide discusses the use of the SSM Agent on the EC2 instances in the Application account.
@@ -124 +115 @@ The [Workloads OU](./application.html) section later in this guide discusses the
-AWS Control Tower has a broad and flexible set of features. A key feature is its ability to _orchestrate_ the capabilities of several other [AWS services](https://docs.aws.amazon.com/controltower/latest/userguide/integrated-services.html), including AWS Organizations, AWS Service Catalog, and IAM Identity Center, to build a landing zone. For examples, by default AWS Control Tower uses AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config rules to continuously detect non-conformance. AWS Control Tower employs blueprints that help you quickly align your multi-account AWS environment with [AWS Well Architected security foundation design principles](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/security.html). Among governance features, AWS Control Tower offers guardrails that prevent deployment of resources that don't conform to selected policies. 
+AWS Control Tower has a broad and flexible set of features. A key feature is its ability to _orchestrate_ the capabilities of several other [AWS services](https://docs.aws.amazon.com/controltower/latest/userguide/integrated-services.html), including AWS Organizations, AWS Service Catalog, and IAM Identity Center, to build a landing zone. For examples, by default AWS Control Tower uses AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config Rules rules to continuously detect non-conformance. AWS Control Tower employs blueprints that help you quickly align your multi-account AWS environment with [AWS Well Architected security foundation design principles](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/security.html). Among governance features, AWS Control Tower offers guardrails that prevent deployment of resources that don't conform to selected policies.
@@ -132,4 +123 @@ In the AWS SRA, AWS Control Tower is within the Org Management account because A
-  * If you want to do additional baselining of controls and configurations across your accounts, you can use [Customizations for AWS Control Tower (CfCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). With CfCT, you can customize your AWS Control Tower landing zone by using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and OUs within your organization. CfCT integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. 
-
-
-
+If you want to do additional baselining of controls and configurations across your accounts, you can use [Customizations for AWS Control Tower (CfCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). With CfCT, you can customize your AWS Control Tower landing zone by using a CloudFormation template and SCPs. You can deploy the custom template and policies to individual accounts and OUs within your organization. CfCT integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. 
@@ -145 +133 @@ You can provide the AWS audit artifacts to your auditors or regulators as eviden
-AWS Artifacts is hosted in the Org Management account to provide a central location where you can review, accept, and manage agreements with AWS. This is because agreements that are accepted at the management account flow down to the member accounts. 
+AWS Artifact is hosted in the Org Management account to provide a central location where you can review, accept, and manage agreements with AWS. This is because agreements that are accepted at the management account flow down to the member accounts.
@@ -149,4 +137 @@ AWS Artifacts is hosted in the Org Management account to provide a central locat
-  * Users within the Org Management account should be restricted to use only the Agreements feature of AWS Artifact and nothing else. To implement segregation of duties, AWS Artifact is also hosted in the Security Tooling account where you can delegate permissions to your compliance stakeholders and external auditors to access audit artifacts. You can implement this separation by defining fine-grained IAM permission policies. For examples, see [Example IAM policies](https://docs.aws.amazon.com/artifact/latest/ug/security-iam.html#example-iam-policies) in the AWS documentation.
-
-
-
+Users within the Org Management account should be restricted to use only the Agreements feature of AWS Artifact and nothing else. To implement segregation of duties, AWS Artifact is also hosted in the Security Tooling account where you can delegate permissions to your compliance stakeholders and external auditors to access audit artifacts. You can implement this separation by defining fine-grained IAM permission policies. For examples, see [Example IAM policies](https://docs.aws.amazon.com/artifact/latest/ug/security-iam.html#example-iam-policies) in the AWS documentation.
@@ -156 +141 @@ AWS Artifacts is hosted in the Org Management account to provide a central locat
-In the AWS SRA, AWS Security Hub CSPM, Amazon GuardDuty, AWS Config, IAM Access Analyzer, AWS CloudTrail organization trails, and often Amazon Macie are deployed with appropriate delegated administration or aggregation to the Security Tooling account. This enables a consistent set of guardrails across accounts and also provides centralized monitoring, management, and governance across your AWS organization. You will find this group of services in every type of account represented in the AWS SRA. These should be part of the AWS services that must be provisioned as part of your account onboarding and baselining process. The [GitHub code repository](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of AWS security-focused services across your accounts, including the AWS Org Management account. 
+In the AWS SRA, AWS Security Hub, AWS Security Hub CSPM, Amazon GuardDuty, AWS Config, IAM Access Analyzer, AWS CloudTrail organization trails, and often Amazon Macie are deployed with appropriate delegated set of guardrails across accounts and also provides centralized monitoring, management, and governance across your AWS organization. You will find this group of services in every type of account represented in the AWS SRA. These should be part of the AWS services that must be provisioned as part of your account onboarding and baselining process. The [GitHub code repository](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of AWS security-focused services across your accounts, including the AWS Org Management account.
@@ -160 +145 @@ In addition to these services, AWS SRA includes two security-focused services, A
-  * You have a dedicated team or group of resources that perform those digital forensics and IT audit functions. Amazon Detective is best utilized by security analyst teams, and AWS Audit Manager is helpful to your internal audit or compliance teams.
+  * You have a dedicated team or group of resources that perform those digital forensics and IT audit functions. Detective is best utilized by security analyst teams, and Audit Manager is helpful to your internal audit or compliance teams.
@@ -162 +147 @@ In addition to these services, AWS SRA includes two security-focused services, A
-  * You want to focus on a core set of tools such as GuardDuty and Security Hub CSPM at the start of your project, and then build on these by using services that provide additional capabilities.
+  * You want to focus on a core set of tools such as AWS Config, Amazon GuardDuty, AWS Security Hub, and AWS Security Hub CSPM at the start of your project, and then build on these by using services that provide additional capabilities.
@@ -175 +160 @@ The AWS Security Reference Architecture
-Security OU - Security Tooling account
+Security OU – Security Tooling account