AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation medium

File: prescriptive-guidance/latest/security-reference-architecture/phases.md

Summary

Restructured documentation with improved formatting, added implementation examples for security controls (Account Alternate Contacts, Detective Organization), and expanded guidance on IAM least privilege practices and security logging.

Security assessment

The changes enhance security documentation by adding concrete implementation examples for security controls (alternate contacts configuration, Amazon Detective setup) and expanding guidance on security best practices like least privilege IAM policies and centralized logging. However, there is no evidence of addressing a specific security vulnerability or incident.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/phases.md b/prescriptive-guidance/latest/security-reference-architecture/phases.md
index e6934bda3..ff6ceb8ec 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/phases.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/phases.md
@@ -11,3 +10,0 @@ Phase 1: Build your OU and account structurePhase 2: Implement a strong identity
-Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua).  
----  
-  
@@ -26 +23,10 @@ For AWS account and OU structure recommendations beyond what's provided in the A
-###### Design consideration
+**Design consideration:**
+
+  * Do not replicate your company's reporting structure when you design your OU and account structure. Your OUs should be based on workload functions and a common set of security controls that apply to the workloads. Don't try to design your complete account structure from the beginning. Focus on the foundational OUs, and then add workload OUs as you need them. You can [move accounts between OUs](https://docs.aws.amazon.com/organizations/latest/userguide/move_account_to_ou.html) to experiment with alternative approaches during the early stages of your design. However, this might result in some overhead around managing logical permissions, depending on SCPs, RCPs, declarative policies, and IAM conditions that are based on OU and account paths.
+
+
+
+
+**Implementation example:**
+
+  * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Account Alternate Contacts](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/account/account_alternate_contacts). This solution sets the billing, operations, and security alternate contacts for all accounts within an organization.
@@ -28 +33,0 @@ For AWS account and OU structure recommendations beyond what's provided in the A
-Do not replicate your company's reporting structure when you design your OU and account structure. Your OUs should be based on workload functions and a common set of security controls that apply to the workloads. Don't try to design your complete account structure from the beginning. Focus on the foundational OUs, and then add workload OUs as you need them. You can [move accounts between OUs](https://docs.aws.amazon.com/organizations/latest/userguide/move_account_to_ou.html) to experiment with alternative approaches during the early stages of your design. However, this might result in some overhead around managing logical permissions, depending on SCPs, RCPs, declarative policies, and IAM conditions that are based on OU and account paths.
@@ -30 +34,0 @@ Do not replicate your company's reporting structure when you design your OU and
-###### Implementation example
@@ -32 +35,0 @@ Do not replicate your company's reporting structure when you design your OU and
-The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Account Alternate Contacts](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/account/account_alternate_contacts). This solution sets the billing, operations, and security alternate contacts for all accounts within an organization.
@@ -40 +43,5 @@ As you work with IAM roles to provide user access to AWS resources, you should u
-###### Design consideration
+**Design consideration:**
+
+  * To achieve least privilege, design processes to regularly review and understand the relationships between your identities and the permissions they require to function properly. As you learn, fine-tune those permissions and gradually trim them down to the least permissions possible. For scalability, this should be a shared responsibility between your central security and application teams. Use features such as [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html), [permission boundaries](https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/), [attribute-based access controls](https://www.youtube.com/watch?v=Iq_hDc385t4&t=1318s), and [session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) to help application owners define fine-grained access control. 
+
+
@@ -42 +48,0 @@ As you work with IAM roles to provide user access to AWS resources, you should u
-To achieve least privilege, design processes to regularly review and understand the relationships between your identities and the permissions they require to function properly. As you learn, fine-tune those permissions and gradually trim them down to the least permissions possible. For scalability, this should be a shared responsibility between your central security and application teams. Use features such as [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html), [permission boundaries](https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/), [attribute-based access controls](https://www.youtube.com/watch?v=Iq_hDc385t4&t=1318s), and [session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) to help application owners define fine-grained access control. 
@@ -44 +50 @@ To achieve least privilege, design processes to regularly review and understand
-###### Implementation examples
+**Implementation examples:**
@@ -46 +52 @@ To achieve least privilege, design processes to regularly review and understand
-The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides two sample implementations that apply to this phase:
+  * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides two sample implementations that apply to this phase:
@@ -59 +65 @@ When your users have access to AWS and start building, you will want to know who
-###### Design consideration
+**Design consideration:**
@@ -61 +67 @@ When your users have access to AWS and start building, you will want to know who
-As you start using new AWS services, make sure to enable [service-specific logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) for the service and store them as part of your central log repository. 
+  * As you start using new AWS services, make sure to enable [service-specific logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) for the service and store them as part of your central log repository. 
@@ -63 +68,0 @@ As you start using new AWS services, make sure to enable [service-specific logs]
-###### Implementation examples
@@ -65 +70,5 @@ As you start using new AWS services, make sure to enable [service-specific logs]
-The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides the following sample implementations that apply to this phase: 
+
+
+**Implementation examples:**
+
+  * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides the following sample implementations that apply to this phase: 
@@ -97 +106,4 @@ In this phase, plan to apply security at other layers of your AWS organization,
-###### Design consideration
+**Design consideration:**
+
+  * As you design your defense in depth (DiD) security controls, consider scaling factors. Your central security team won't have the bandwidth or full understanding of how every application behaves in your environment. Empower your application teams to be responsible and accountable for identifying and designing the right security controls for their applications. The central security team should focus on providing the right tools and consultation to enable the application teams. To understand the scaling mechanisms that AWS uses to adopt a more shift-left approach to security, see the blog post [How AWS built the Security Guardians program, a mechanism to distribute security ownership](https://aws.amazon.com/blogs/security/how-aws-built-the-security-guardians-program-a-mechanism-to-distribute-security-ownership/). 
+
@@ -99 +110,0 @@ In this phase, plan to apply security at other layers of your AWS organization,
-As you design your defense in depth (DiD) security controls, consider scaling factors. Your central security team won't have the bandwidth or full understanding of how every application behaves in your environment. Empower your application teams to be responsible and accountable for identifying and designing the right security controls for their applications. The central security team should focus on providing the right tools and consultation to enable the application teams. To understand the scaling mechanisms that AWS uses to adopt a more shift-left approach to security, see the blog post [How AWS built the Security Guardians program, a mechanism to distribute security ownership](https://aws.amazon.com/blogs/security/how-aws-built-the-security-guardians-program-a-mechanism-to-distribute-security-ownership/). 
@@ -101 +111,0 @@ As you design your defense in depth (DiD) security controls, consider scaling fa
-###### Implementation examples
@@ -103 +113,3 @@ As you design your defense in depth (DiD) security controls, consider scaling fa
-The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides the following sample implementations that apply to this phase:
+**Implementation examples** :
+
+  * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides the following sample implementations that apply to this phase:
@@ -128 +140 @@ The AWS SRA, through the design of the [Security Tooling account](./security-too
-###### Design considerations
+**Design considerations:**
@@ -137 +149,6 @@ The AWS SRA, through the design of the [Security Tooling account](./security-too
-![Sequential and iterative phases in building a cloud security architecture.](/images/prescriptive-guidance/latest/security-reference-architecture/images/sra-phases.png)
+![Sequential and iterative phases in building a cloud security architecture.](/images/prescriptive-guidance/latest/security-reference-architecture/images/guide-img/91d313fc-d5f1-45a8-a5a6-2f4fc7abc93a/images/c4fe891c-60c3-4453-9d08-a4d80438b951.png)
+
+**Implementation example:**
+
+  * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of**** a****[ Detective Organization](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/detective/detective_org), which automatically enables Amazon Detective by delegating administration to an account (for example, Audit or Security Tooling) and configures Detective for existing and future AWS Organizations accounts.
+
@@ -139 +155,0 @@ The AWS SRA, through the design of the [Security Tooling account](./security-too
-###### Implementation example
@@ -141 +156,0 @@ The AWS SRA, through the design of the [Security Tooling account](./security-too
-The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of**** a****[ Detective Organization](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/detective/detective_org), which automatically enables Amazon Detective by delegating administration to an account (for example, Audit or Security Tooling) and configures Detective for existing and future AWS Organizations accounts.