AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/org-management.md

Summary

Updated documentation for Org Management account including image path correction, restructuring design considerations into bullet points, clarifying SCP/RCP functionality, fixing IAM Identity Center description, updating AWS Control Tower details, and refining security services deployment explanation.

Security assessment

Changes focus on improving clarity and accuracy of existing security documentation (SCPs, RCPs, declarative policies, IAM Identity Center). No vulnerability fixes or incident responses are mentioned. Security documentation is enhanced through better explanations of security controls like SCP evaluation logic, IMDSv2 enforcement, and permission segregation in AWS Artifact.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/org-management.md b/prescriptive-guidance/latest/security-reference-architecture/org-management.md
index 3edc16a05..5fa2502a4 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/org-management.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/org-management.md
@@ -11,3 +10,0 @@ Service control policiesResource control policiesDeclarative policiesCentralized
-Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua).  
----  
-  
@@ -16 +13 @@ The following diagram illustrates the AWS security services that are configured
-![Security services for Org Management account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/org-management-acct.png)
+![Security services for the Org Management account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/guide-img/91d313fc-d5f1-45a8-a5a6-2f4fc7abc93a/images/20032423-a649-4f28-8127-9c1e71793b9d.png)
@@ -26 +23,5 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy [a
-###### Design consideration
+**Design consideration:**
+
+  * SCPs affect only _member_ accounts in the AWS organization. Although they are applied from the Org Management account, they have no effect on users or roles in that account. To learn about how SCP evaluation logic works, and to see examples of recommended structures, see the AWS blog post [How to use service control policies in AWS Organizations](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/).
+
+
@@ -28 +28,0 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy [a
-SCPs affect only _member_ accounts in the AWS organization. Although they are applied from the Org Management account, they have no effect on users or roles in that account. To learn about how SCP evaluation logic works, and to see examples of recommended structures, see the AWS blog post [How to use service control policies in AWS Organizations](https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/).
@@ -34 +34 @@ SCPs affect only _member_ accounts in the AWS organization. Although they are ap
-If you use AWS Control Tower to manage your AWS organization, it will deploy a set of RCPs as preventative guardrails (categorized as mandatory, strongly recommended, or elective). These guardrails help you govern your resources by enforcing organization-wide security controls. These SCPs automatically use an `aws-control-tower` tag that has a value of `managed-by-control-tower`.
+If you use AWS Control Tower to manage your AWS organization, it will deploy a set of RCPs as preventative guardrails. These guardrails help you govern your resources by enforcing organization-wide security controls. These RCPs automatically use an `aws-control-tower` tag that has a value of `managed-by-control-tower`.
@@ -36 +36 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-###### Design considerations
+**Design considerations:**
@@ -47 +47 @@ If you use AWS Control Tower to manage your AWS organization, it will deploy a s
-A declarative policy is a type of AWS Organizations management policy that helps you centrally declare and enforce your desired configuration for a given AWS service at scale across an organization. Declarative policies currently support [Amazon EC2](https://aws.amazon.com/ec2/), [Amazon VPC](https://aws.amazon.com/vpc/), and [Amazon EBS](https://aws.amazon.com/ebs/) services. Available service attributes include enforcing Instance Metadata Service Version 2 (IMDSv2), allowing troubleshooting though the EC2 serial console, allowing [Amazon Machine Image (AMI)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) settings, and blocking public access for Amazon EBS snapshots, Amazon EC2 AMIs, and Amazon VPC resources. For the latest supported services and attributes, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html#orgs_manage_policies_declarative-supported-controls) in the AWS Organizations documentation.
+A declarative policy is a type of AWS Organizations management policy that helps you centrally declare and enforce your desired configuration for a given AWS service at scale across an organization. How those policies affect the OUs and accounts that inherit them depends on the type of declarative policy that you apply in AWS Organizations. For the latest supported services and attributes, see [Declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/syntax-inheritance.html) in the AWS Organizations documentation.
@@ -55 +55,5 @@ Declarative policies provide _account status reports,_ which enable you to revie
-###### Design consideration
+**Design consideration:**
+
+  * When you configure a service attribute by using a declarative policy, the policy might impact multiple APIs. Any noncompliant actions will fail. Account administrators will not be able to modify the value of the service attribute at the individual account level.
+
+
@@ -57 +60,0 @@ Declarative policies provide _account status reports,_ which enable you to revie
-When you configure a service attribute by using a declarative policy, the policy might impact multiple APIs. Any noncompliant actions will fail. Account administrators will not be able to modify the value of the service attribute at the individual account level.
@@ -74 +77 @@ For centralized root credential management, you need to enable root credential m
-[AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) is an identity federation service that helps you centrally manage SSO access to all your AWS accounts, principals, and cloud workloads. IAM Identity Center also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications. Identity providers integrate with IAM Identity Center by using SAML 2.0. Bulk and just-in-time provisioning can be done by using the System for Cross-Domain Identity Management (SCIM). IAM Identity Center can also integrate with on-premises or AWS-managed Microsoft Active Directory (AD) domains as an identity provider through the use of AWS Directory Service. IAM Identity Center includes a user portal where your end-users can find and access their assigned AWS accountsIAM Identity Center, roles, cloud applications, and custom applications in one place.
+[AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) is an identity federation service that helps you centrally manage SSO access to all your AWS accounts, principals, and cloud workloads. IAM Identity Center also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications. Identity providers integrate with IAM Identity Center by using SAML 2.0. Bulk and just-in-time provisioning can be done by using the System for Cross-Domain Identity Management (SCIM). IAM Identity Center can also integrate with on-premises or AWS-managed Microsoft Active Directory (AD) domains as an identity provider through the use of AWS Directory Service. IAM Identity Center includes a user portal where your end-users can find and access their assigned AWS accounts, IAM Identity Center, roles, cloud applications, and custom applications in one place.
@@ -93 +96,5 @@ You can rely on an existing IdP that is already in place within your enterprise.
-###### Design consideration
+**Design consideration:**
+
+  * Use an external IdP if that option is available to your enterprise. If your IdP supports System for Cross-domain Identity Management (SCIM), take advantage of the SCIM capability in IAM Identity Center to automate user, group, and permission provisioning (synchronization). This allows AWS access to stay in sync with your corporate workflow for new hires, employees who are moving to another team, and employees who are leaving the company. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. However, you can switch to another identity provider.
+
+
@@ -95 +101,0 @@ You can rely on an existing IdP that is already in place within your enterprise.
-Use an external IdP if that option is available to your enterprise. If your IdP supports System for Cross-domain Identity Management (SCIM), take advantage of the SCIM capability in IAM Identity Center to automate user, group, and permission provisioning (synchronization). This allows AWS access to stay in sync with your corporate workflow for new hires, employees who are moving to another team, and employees who are leaving the company. At any given time, you can have only one directory or one SAML 2.0 identity provider connected to IAM Identity Center. However, you can switch to another identity provider.
@@ -117 +123 @@ The [Workloads OU](./application.html) section later in this guide discusses the
-AWS Control Tower has a broad and flexible set of features. A key feature is its ability to _orchestrate_ the capabilities of several other [AWS services](https://docs.aws.amazon.com/controltower/latest/userguide/integrated-services.html), including AWS Organizations, AWS Service Catalog, and IAM Identity Center, to build a landing zone. For examples, by default AWS Control Tower uses AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config Rules rules to continuously detect non-conformance. AWS Control Tower employs blueprints that help you quickly align your multi-account AWS environment with [AWS Well Architected security foundation design principles](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/security.html). Among governance features, AWS Control Tower offers guardrails that prevent deployment of resources that don't conform to selected policies.
+AWS Control Tower has a broad and flexible set of features. A key feature is its ability to _orchestrate_ the capabilities of several other [AWS services](https://docs.aws.amazon.com/controltower/latest/userguide/integrated-services.html), including AWS Organizations, AWS Service Catalog, and IAM Identity Center, to build a landing zone. For example, by default, AWS Control Tower uses AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) prevent configuration changes, and AWS Config rules continuously detect non-conformance. AWS Control Tower employs blueprints that help you quickly align your multi-account AWS environment with [AWS Well-Architected security foundation design principles](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/security.html). Among governance features, AWS Control Tower offers guardrails that prevent deployment of resources that don't conform to selected policies.
@@ -123 +129,5 @@ In the AWS SRA, AWS Control Tower is within the Org Management account because A
-###### Design consideration
+**Design consideration:**
+
+  * If you want to do additional baselining of controls and configurations across your accounts, you can use [Customizations for AWS Control Tower (CfCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). With CfCT, you can customize your AWS Control Tower landing zone by using a CloudFormation template and SCPs. You can deploy the custom template and policies to individual accounts and OUs within your organization. CfCT integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. 
+
+
@@ -125 +134,0 @@ In the AWS SRA, AWS Control Tower is within the Org Management account because A
-If you want to do additional baselining of controls and configurations across your accounts, you can use [Customizations for AWS Control Tower (CfCT)](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/). With CfCT, you can customize your AWS Control Tower landing zone by using a CloudFormation template and SCPs. You can deploy the custom template and policies to individual accounts and OUs within your organization. CfCT integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. 
@@ -137 +146,5 @@ AWS Artifact is hosted in the Org Management account to provide a central locati
-###### Design consideration
+**Design consideration:**
+
+  * Users within the Org Management account should be restricted to use only the Agreements feature of AWS Artifact and nothing else. To implement segregation of duties, AWS Artifact is also hosted in the Security Tooling account where you can delegate permissions to your compliance stakeholders and external auditors to access audit artifacts. You can implement this separation by defining fine-grained IAM permission policies. For examples, see [Example IAM policies](https://docs.aws.amazon.com/artifact/latest/ug/security-iam.html#example-iam-policies) in the AWS documentation.
+
+
@@ -139 +151,0 @@ AWS Artifact is hosted in the Org Management account to provide a central locati
-Users within the Org Management account should be restricted to use only the Agreements feature of AWS Artifact and nothing else. To implement segregation of duties, AWS Artifact is also hosted in the Security Tooling account where you can delegate permissions to your compliance stakeholders and external auditors to access audit artifacts. You can implement this separation by defining fine-grained IAM permission policies. For examples, see [Example IAM policies](https://docs.aws.amazon.com/artifact/latest/ug/security-iam.html#example-iam-policies) in the AWS documentation.
@@ -143 +155 @@ Users within the Org Management account should be restricted to use only the Agr
-In the AWS SRA, AWS Security Hub, AWS Security Hub CSPM, Amazon GuardDuty, AWS Config, IAM Access Analyzer, AWS CloudTrail organization trails, and often Amazon Macie are deployed with appropriate delegated set of guardrails across accounts and also provides centralized monitoring, management, and governance across your AWS organization. You will find this group of services in every type of account represented in the AWS SRA. These should be part of the AWS services that must be provisioned as part of your account onboarding and baselining process. The [GitHub code repository](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of AWS security-focused services across your accounts, including the AWS Org Management account.
+In the AWS SRA, AWS Security Hub CSPM, AWS Security Hub, Amazon GuardDuty, AWS Config, IAM Access Analyzer, AWS CloudTrail organization trails, and often Amazon Macie are deployed with appropriate delegated administration or aggregation to the Security Tooling account. This enables a consistent set of guardrails across accounts and also provides centralized monitoring, management, and governance across your AWS organization. You will find this group of services in every type of account represented in the AWS SRA. These should be part of the AWS services that must be provisioned as part of your account onboarding and baselining process. The [GitHub code repository](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of AWS security-focused services across your accounts, including the AWS Org Management account.