AWS Security ChangesHomeSearch

AWS fedramp documentation change

Service: fedramp · 2026-03-28 · Documentation low

File: fedramp/latest/userguide/top-level-admin-guidance.md

Summary

Updated document title, version, and control ID from FRR-RSC-01 to SCG-CSO-RSC. Expanded requirements to include three parts: instructions for top-level administrative accounts, explanations of security settings for top-level accounts, and recommended explanations for privileged accounts. Updated security guardrails description and removed security requirements section.

Security assessment

The change updates security guidance documentation with expanded requirements for secure configuration of administrative accounts. It adds more detailed security documentation about security-related settings and their implications, but there's no evidence of addressing a specific security vulnerability or incident. The version update and content expansion appear to be routine documentation improvements.

Diff

diff --git a/fedramp/latest/userguide/top-level-admin-guidance.md b/fedramp/latest/userguide/top-level-admin-guidance.md
index 56a0c3303..366c4392a 100644
--- a//fedramp/latest/userguide/top-level-admin-guidance.md
+++ b//fedramp/latest/userguide/top-level-admin-guidance.md
@@ -3 +3 @@
-Document InformationFRR-RSC-01: Top-Level Administrative Accounts GuidanceRequirementComponent Implementation (OSCAL)Executive SummaryAWS Administrative Account Types and Naming ConventionsAWS Root Account Security ArchitectureImplementation CommandsAdministrative Account Configuration ManagementDaily Operations and MaintenanceAccount Decommissioning ProceduresEmergency ProceduresAccess Control Matrix and Approval WorkflowsFedRAMP Continuous Monitoring RequirementsCompliance ValidationBest Practices SummaryAdditional Resources
+Document InformationSCG-CSO-RSC: Recommended Secure Configuration - Part 1RequirementComponent Implementation (OSCAL)Executive SummaryAWS Administrative Account Types and Naming ConventionsAWS Root Account Security ArchitectureImplementation CommandsAdministrative Account Configuration ManagementDaily Operations and MaintenanceAccount Decommissioning ProceduresEmergency ProceduresAccess Control Matrix and Approval WorkflowsFedRAMP Continuous Monitoring RequirementsCompliance ValidationBest Practices SummaryAdditional Resources
@@ -15 +15 @@ This topic discusses top level admin guidance.
-Version |  1.0.0  
+Version |  1.0.2  
@@ -17 +17 @@ Version |  1.0.0
-Last Updated |  2026-01-09  
+Last Updated |  2026-03-26  
@@ -19 +19 @@ Last Updated |  2026-01-09
-## FRR-RSC-01: Top-Level Administrative Accounts Guidance
+## SCG-CSO-RSC: Recommended Secure Configuration - Part 1
@@ -23 +23 @@ Last Updated |  2026-01-09
-**OSCAL Control ID: FRR-RSC-01**
+**OSCAL Control ID: SCG-CSO-RSC**
@@ -25 +25 @@ Last Updated |  2026-01-09
-**UUID: frr-rsc-01-control**
+**UUID: scg-cso-rsc-control**
@@ -29 +29,12 @@ Last Updated |  2026-01-09
-Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
+This guidance addresses Part 1 of SCG-CSO-RSC: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
+
+Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:
+
+  1. **Required** : Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
+
+  2. **Required** : Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.
+
+  3. **Recommended** : Explanations of security-related settings that can be operated only by privileged accounts and their security implications.
+
+
+
@@ -328 +339 @@ Enable MFA for all users with hardware tokens or authenticator apps Configure se
-**Security Guardrails** :
+**Security Guardrails** : IAM implemented limits customers can enable
@@ -342,2 +352,0 @@ Enable MFA for all users with hardware tokens or authenticator apps Configure se
-**Security Requirements** :
-