AWS Security ChangesHomeSearch

AWS resilience-hub documentation change

Service: resilience-hub · 2026-07-10 · Documentation low

File: resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md

Summary

Added documentation for AWSResilienceHubServiceRolePolicy service-linked role including its permissions for read-only AWS Organizations access to support multi-account resilience management.

Security assessment

The change documents a new service-linked role policy with read-only AWS Organizations permissions (Describe/List actions) for discovering organizational structure. While security-related through IAM permissions, there's no evidence of addressing a specific vulnerability. It enhances security documentation by clarifying permissions for multi-account management.

Diff

diff --git a/resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md b/resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md
index 38680501c..716c46754 100644
--- a//resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md
+++ b//resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.md
@@ -7 +7 @@
-AWSResilienceHubV2AssessmentExecutionPolicyPolicy updates
+AWSResilienceHubV2AssessmentExecutionPolicyAWSResilienceHubServiceRolePolicyPolicy updates
@@ -20,0 +21,2 @@ You cannot change the permissions defined in AWS managed policies. If AWS update
+  * AWSResilienceHubServiceRolePolicy
+
@@ -374,0 +377,46 @@ The following IAM policy provides required permissions for Next generation Resil
+## AWSResilienceHubServiceRolePolicy
+
+The `AWSResilienceHubServiceRolePolicy` is a service-linked role (SLR) policy. You cannot attach this policy to your IAM entities. Next generation Resilience Hub automatically creates this service-linked role when you enable AWS Organizations support for multi-account resilience management. This role trusts the `resiliencehub.amazonaws.com` service principal.
+
+For more information about service-linked roles for AWS Resilience Hub, see [Using service-linked roles for AWS Resilience Hub](https://docs.aws.amazon.com/resilience-hub/latest/userguide/using-service-linked-roles.html).
+
+### Permission details
+
+With this policy, Next generation Resilience Hub can access read-only AWS Organizations information for multi-account resilience management.
+
+This policy includes the following permissions:
+
+  * AWS Organizations – Provides `Describe` and `List` permissions for Organizations resources. These permissions discover organization structure, identify delegated administrators, and verify trusted access status.
+
+
+
+
+The following IAM policy provides required permissions for Next generation Resilience Hub to access AWS Organizations resources for multi-account resilience management.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AWSResilienceHubOrganizationsReadStatement",
+                "Effect": "Allow",
+                "Action": [
+                    "organizations:DescribeAccount",
+                    "organizations:DescribeOrganization",
+                    "organizations:DescribeOrganizationalUnit",
+                    "organizations:ListAWSServiceAccessForOrganization",
+                    "organizations:ListAccounts",
+                    "organizations:ListAccountsForParent",
+                    "organizations:ListChildren",
+                    "organizations:ListDelegatedAdministrators",
+                    "organizations:ListDelegatedServicesForAccount",
+                    "organizations:ListOrganizationalUnitsForParent",
+                    "organizations:ListParents",
+                    "organizations:ListRoots",
+                    "organizations:ListTagsForResource"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+
@@ -380,0 +429 @@ Change | Description | Date
+[AWSResilienceHubServiceRolePolicy](https://docs.aws.amazon.com/resilience-hub/latest/userguide/next-gen-security-iam-awsmanpol.html#next-gen-security-iam-awsmanpol-slr) – Update to an existing policy |  Next generation Resilience Hub added read-only AWS Organizations permissions to the `AWSResilienceHubServiceRolePolicy`. These permissions support multi-account resilience management, including discovering organization structure, identifying delegated administrators, and verifying trusted access status. | July 7, 2026