AWS ram medium security documentation change
Summary
Added Example 6 SCP to prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled
Security assessment
Introduces a policy to block resource sharing configurations that could retain access after an account leaves an organization, addressing a potential privilege retention risk.
Diff
diff --git a/ram/latest/userguide/security-scp.md b/ram/latest/userguide/security-scp.md index e7cfe55cf..d4718a08b 100644 --- a//ram/latest/userguide/security-scp.md +++ b//ram/latest/userguide/security-scp.md @@ -37,0 +38,2 @@ To use SCPs, you must first do the following: + * [Example 6: Prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled](./security-scp.html#example-six) + @@ -219,0 +222,25 @@ JSON +### Example 6: Prevent resource shares with RetainSharingOnAccountLeaveOrganization enabled + +The following SCP prevents users from creating or modifying resource shares when the `ram:RetainSharingOnAccountLeaveOrganization` condition key is set to `true`. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": [ + "ram:CreateResourceShare", + "ram:AssociateResourceShare", + "ram:DisassociateResourceShare" + ], + "Resource": "*", + "Condition": { + "Bool": { + "ram:RetainSharingOnAccountLeaveOrganization": "true" + } + } + } + ] + } +