AWS organizations high security documentation change
Summary
Added SCP recommendation to prevent account departures/closures and default security controls implementation details
Security assessment
Documents security control (SCP) to prevent unauthorized account separation which could compromise organizational security boundaries. Explicitly references security risks of account departure/closure.
Diff
diff --git a/organizations/latest/userguide/orgs_best-practices_mgmt-acct.md b/organizations/latest/userguide/orgs_best-practices_mgmt-acct.md index 5b9a7b19e..57be9ea34 100644 --- a//organizations/latest/userguide/orgs_best-practices_mgmt-acct.md +++ b//organizations/latest/userguide/orgs_best-practices_mgmt-acct.md @@ -7 +7 @@ -Limit who has access to the management accountReview and track who has accessUse the management account only for tasks that require the management accountAvoid deploying workloads to the organization’s management accountDelegate responsibilities outside the management account for decentralization +Limit who has access to the management accountReview and track who has accessUse the management account only for tasks that require the management accountAvoid deploying workloads to the organization’s management accountPrevent inadvertent account departures and closures with an SCPDelegate responsibilities outside the management account for decentralization @@ -22,0 +23,2 @@ Follow these recommendations to help protect the security of the management acco + * Prevent inadvertent account departures and closures with an SCP + @@ -45,0 +48,6 @@ Privileged operations can be performed within an organization’s management acc +## Prevent inadvertent account departures and closures with an SCP + +Member accounts can leave your organization or close themselves, which can disrupt governance, billing, and security controls. We recommend that you attach an SCP at the root of your organization that denies the `organizations:LeaveOrganization` and `account:CloseAccount` actions to prevent member accounts from performing these actions without approval from the management account or a delegated administrator. + +AWS Organizations organizations created through the AWS Management Console after July 10, 2026 automatically receive this SCP at the root. If you created your organization using the AWS Command Line Interface (AWS CLI), AWS SDKs, or CloudFormation, or if your organization was created before this date, you must create and attach this SCP manually. For the policy example and more information about these controls, see [Default security controls in AWS Organizations](./orgs_security_default_controls.html). For instructions on configuring SCPs, see [Enabling a policy type](./enable-policy-type.html), [Creating organization policies with AWS Organizations](./orgs_policies_create.html), and [Attaching organization policies with AWS Organizations](./orgs_policies_attach.html). +