AWS security-ir medium security documentation change
Summary
Added guidance to manually delete service-linked roles after membership cancellation
Security assessment
Addresses privilege persistence risk by warning about retained service-linked roles (AWSServiceRoleForSecurityIncidentResponse*), which could be exploited if not removed. Explicit cleanup instructions mitigate potential privilege escalation vectors.
Diff
diff --git a/security-ir/latest/userguide/cancel-membership.md b/security-ir/latest/userguide/cancel-membership.md index ee5875307..8893e7fdf 100644 --- a//security-ir/latest/userguide/cancel-membership.md +++ b//security-ir/latest/userguide/cancel-membership.md @@ -28,0 +29,4 @@ If you created a membership using a delegated administrator account and you use +###### Important + +After you cancel your membership, the service-linked roles `AWSServiceRoleForSecurityIncidentResponse` and `AWSServiceRoleForSecurityIncidentResponse_Triage` are not automatically deleted. You must manually delete these roles from all accounts that were within the scope of the AWS Security Incident Response service. For instructions, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the _IAM User Guide_. +