AWS organizations documentation change
Summary
Added clarification that AWSServiceRoleForFMS service-linked role is automatically created in all organization member accounts when enabling Firewall Manager trusted access, including future accounts. Specified standalone accounts and accounts in other organizations cannot be managed.
Security assessment
The change documents security feature behavior (automatic role propagation) for Firewall Manager integration. While it enhances security documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/organizations/latest/userguide/services-that-can-integrate-fms.md b/organizations/latest/userguide/services-that-can-integrate-fms.md index 387250a47..39fba1aea 100644 --- a//organizations/latest/userguide/services-that-can-integrate-fms.md +++ b//organizations/latest/userguide/services-that-can-integrate-fms.md @@ -25,0 +26,4 @@ You can delete or modify this role only if you disable trusted access between Fi +When you enable trusted access for AWS Firewall Manager, the `AWSServiceRoleForFMS` service-linked role is automatically created in every member account in the organization. This includes accounts that join the organization later, either by invitation or by being created in the organization. + +Standalone accounts and accounts in a different organization don't receive this role and can't be managed by Firewall Manager. +