AWS organizations medium security documentation change
Summary
Updated account closure restriction examples and added new IAM policy denying account closure actions
Security assessment
Added explicit IAM policy denying account closure actions (account:CloseAccount and organizations:CloseAccount). This directly documents security controls to prevent unauthorized account termination, addressing account security risks.
Diff
diff --git a/organizations/latest/userguide/orgs_account_close_policy.md b/organizations/latest/userguide/orgs_account_close_policy.md index 87d0c0ceb..82abe251b 100644 --- a//organizations/latest/userguide/orgs_account_close_policy.md +++ b//organizations/latest/userguide/orgs_account_close_policy.md @@ -28 +28 @@ Service Control Policies (SCPs) don't affect IAM principals in the management ac -The following code examples show two different methods you can use to restrict member accounts from closing their account. +The following code examples show different methods you can use to restrict member accounts from closing their account. @@ -71,0 +72,20 @@ You can attach the following policy to an identity in your management account. T +Prevent member accounts from closure with AWS Organizations + + +You can attach the following policy to an identity in your management account. This policy prevents principals in the management account from closing any member account by denying both the `account:CloseAccount` and `organizations:CloseAccount` actions. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": [ + "account:CloseAccount", + "organizations:CloseAccount" + ], + "Resource": "*" + } + ] + } +