AWS Security ChangesHomeSearch

AWS security-ir medium security documentation change

Service: security-ir · 2026-06-19 · Security-related medium

File: security-ir/latest/userguide/cancel-membership.md

Summary

Added guidance to manually delete service-linked roles after membership cancellation

Security assessment

Addresses privilege persistence risk by warning about retained service-linked roles (AWSServiceRoleForSecurityIncidentResponse*), which could be exploited if not removed. Explicit cleanup instructions mitigate potential privilege escalation vectors.

Diff

diff --git a/security-ir/latest/userguide/cancel-membership.md b/security-ir/latest/userguide/cancel-membership.md
index ee5875307..8893e7fdf 100644
--- a//security-ir/latest/userguide/cancel-membership.md
+++ b//security-ir/latest/userguide/cancel-membership.md
@@ -28,0 +29,4 @@ If you created a membership using a delegated administrator account and you use
+###### Important
+
+After you cancel your membership, the service-linked roles `AWSServiceRoleForSecurityIncidentResponse` and `AWSServiceRoleForSecurityIncidentResponse_Triage` are not automatically deleted. You must manually delete these roles from all accounts that were within the scope of the AWS Security Incident Response service. For instructions, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the _IAM User Guide_. 
+