AWS resilience-hub documentation change
Summary
Added documentation for AWSResilienceHubServiceRolePolicy service-linked role including its permissions for read-only AWS Organizations access to support multi-account resilience management.
Security assessment
The change documents a new service-linked role policy with read-only AWS Organizations permissions (Describe/List actions) for discovering organizational structure. While security-related through IAM permissions, there's no evidence of addressing a specific vulnerability. It enhances security documentation by clarifying permissions for multi-account management.
Diff
diff --git a/resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md b/resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md index 38680501c..716c46754 100644 --- a//resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md +++ b//resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md @@ -7 +7 @@ -AWSResilienceHubV2AssessmentExecutionPolicyPolicy updates +AWSResilienceHubV2AssessmentExecutionPolicyAWSResilienceHubServiceRolePolicyPolicy updates @@ -20,0 +21,2 @@ You cannot change the permissions defined in AWS managed policies. If AWS update + * AWSResilienceHubServiceRolePolicy + @@ -374,0 +377,46 @@ The following IAM policy provides required permissions for Next generation Resil +## AWSResilienceHubServiceRolePolicy + +The `AWSResilienceHubServiceRolePolicy` is a service-linked role (SLR) policy. You cannot attach this policy to your IAM entities. Next generation Resilience Hub automatically creates this service-linked role when you enable AWS Organizations support for multi-account resilience management. This role trusts the `resiliencehub.amazonaws.com` service principal. + +For more information about service-linked roles for AWS Resilience Hub, see [Using service-linked roles for AWS Resilience Hub](https://docs.aws.amazon.com/resilience-hub/latest/userguide/using-service-linked-roles.html). + +### Permission details + +With this policy, Next generation Resilience Hub can access read-only AWS Organizations information for multi-account resilience management. + +This policy includes the following permissions: + + * AWS Organizations – Provides `Describe` and `List` permissions for Organizations resources. These permissions discover organization structure, identify delegated administrators, and verify trusted access status. + + + + +The following IAM policy provides required permissions for Next generation Resilience Hub to access AWS Organizations resources for multi-account resilience management. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSResilienceHubOrganizationsReadStatement", + "Effect": "Allow", + "Action": [ + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "organizations:DescribeOrganizationalUnit", + "organizations:ListAWSServiceAccessForOrganization", + "organizations:ListAccounts", + "organizations:ListAccountsForParent", + "organizations:ListChildren", + "organizations:ListDelegatedAdministrators", + "organizations:ListDelegatedServicesForAccount", + "organizations:ListOrganizationalUnitsForParent", + "organizations:ListParents", + "organizations:ListRoots", + "organizations:ListTagsForResource" + ], + "Resource": "*" + } + ] + } + @@ -380,0 +429 @@ Change | Description | Date +[AWSResilienceHubServiceRolePolicy](https://docs.aws.amazon.com/resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.html#next-gen-security-iam-awsmanpol-slr) – Update to an existing policy | Next generation Resilience Hub added read-only AWS Organizations permissions to the `AWSResilienceHubServiceRolePolicy`. These permissions support multi-account resilience management, including discovering organization structure, identifying delegated administrators, and verifying trusted access status. | July 7, 2026