AWS organizations documentation change
Summary
Added documentation about required permissions for console-based organization creation and automatic application of default security controls (SCPs) that prevent account leaving/closing.
Security assessment
Documents proactive security measures (SCPs) but doesn't reference any specific vulnerability or incident. Explains security features without addressing a known exploit.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_org_create.md b/organizations/latest/userguide/orgs_manage_org_create.md index 2304a78ec..201509cd0 100644 --- a//organizations/latest/userguide/orgs_manage_org_create.md +++ b//organizations/latest/userguide/orgs_manage_org_create.md @@ -29,0 +30,11 @@ You can restrict this permission to only the service principal `organizations.am +If you use the console to create an organization with all features, the console also applies default security controls. To allow the console to apply these controls, you also need the following permissions: + + * `organizations:EnablePolicyType` + + * `organizations:CreatePolicy` + + * `organizations:AttachPolicy` + + + + @@ -49,0 +61,8 @@ If this account previously verified its email address, then it doesn't happen ag + 4. Organizations turns on service control policies (SCPs) and attaches an SCP to the root with the following controls: + + * Prevents member accounts from leaving the organization. + + * Prevents member accounts from closing themselves. + +You can modify this SCP or attach it to different targets in your organization. We recommend keeping this SCP attached at the root to protect all member accounts. For more information, see [Default security controls in AWS Organizations](./orgs_security_default_controls.html). +