AWS amazonq documentation change
Summary
Added sso-directory:DescribeUser permission to service-linked role policy and corrected policy name reference
Security assessment
Documents expanded IAM permissions for service-linked role but lacks evidence of addressing a specific security vulnerability.
Diff
diff --git a/amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md index 4f67401b5..a9e174882 100644 --- a/amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md +++ b/amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md @@ -19 +19 @@ For information about other services that support service-linked roles, see [AWS -User Subscriptions uses the service-linked role named **AWSServiceRoleForUserSubscriptions** – Provides access for User Subscriptions to your IAM Identity Center resources to automatically update your subscriptions. +User Subscriptions uses the service-linked role named **AWSServiceRoleForUserSubscriptions**. This role provides access for User Subscriptions to your IAM Identity Center resources in order to automatically update your subscriptions. @@ -28 +28 @@ The AWSServiceRoleForUserSubscriptions service-linked role trusts the following -The role permissions policy named AWSServiceRoleForUserSubscriptionPolicy allows User Subscriptions to complete the following actions on the specified resources: +The role permissions policy named [AWSServiceRoleForUserSubscriptions](./managed-policy.html#amazonq-policy-AWSServiceRoleForUserSubscriptions) allows User Subscriptions to complete the following actions on the specified resources: @@ -45,0 +46,2 @@ Action: `sso:ListInstances` on `*` +Action: `sso-directory:DescribeUser` on `*` +