AWS Security ChangesHomeSearch

AWS ram medium security documentation change

Service: ram · 2026-02-28 · Security-related medium

File: ram/latest/userguide/security-scp.md

Summary

Added Example 6 SCP to prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled

Security assessment

Introduces a policy to block resource sharing configurations that could retain access after an account leaves an organization, addressing a potential privilege retention risk.

Diff

diff --git a/ram/latest/userguide/security-scp.md b/ram/latest/userguide/security-scp.md
index e7cfe55cf..d4718a08b 100644
--- a//ram/latest/userguide/security-scp.md
+++ b//ram/latest/userguide/security-scp.md
@@ -37,0 +38,2 @@ To use SCPs, you must first do the following:
+  * [Example 6: Prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled](./security-scp.html#example-six)
+
@@ -219,0 +222,25 @@ JSON
+### Example 6: Prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled
+
+The following SCP prevents users from creating or modifying resource shares when the `ram:RetainSharingOnAccountLeaveOrganization` condition key is set to `true`.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Deny",
+                "Action": [
+                    "ram:CreateResourceShare",
+                    "ram:AssociateResourceShare",
+                    "ram:DisassociateResourceShare"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "Bool": {
+                        "ram:RetainSharingOnAccountLeaveOrganization": "true"
+                    }
+                }
+            }
+        ]
+    }
+