AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2026-03-13 · Documentation low

File: organizations/latest/userguide/orgs_manage_accounts_accept-decline-invite.md

Summary

Added note explaining CloudTrail logging locations for account invitation actions.

Security assessment

Improves transparency about audit logging practices but does not resolve a security issue.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_accounts_accept-decline-invite.md b/organizations/latest/userguide/orgs_manage_accounts_accept-decline-invite.md
index 983ea46a4..09461ebd0 100644
--- a//organizations/latest/userguide/orgs_manage_accounts_accept-decline-invite.md
+++ b//organizations/latest/userguide/orgs_manage_accounts_accept-decline-invite.md
@@ -24,0 +25,4 @@ Only member accounts and standalone accounts can accept or decline an invitation
+**CloudTrail logging takes place in the account taking the action**
+
+If a member account or standalone account accepts or declines an account invitation, that action will be logged in the CloudTrail log of the acting account. If the acting account is a member account, that action will not be logged in the management account's CloudTrail logs. This is consistent with CloudTrail logging in related scenarios (ex. Member account leaving organization will be logged in member account trail, management account removing member account will be logged in management account trail). 
+