AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-02-26 · Documentation low

File: amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md

Summary

Added sso-directory:DescribeUser permission to service-linked role policy and corrected policy name reference

Security assessment

Documents expanded IAM permissions for service-linked role but lacks evidence of addressing a specific security vulnerability.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md
index 4f67401b5..a9e174882 100644
--- a/amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md
+++ b/amazonq/latest/qdeveloper-ug/using-service-linked-roles-user-subs.md
@@ -19 +19 @@ For information about other services that support service-linked roles, see [AWS
-User Subscriptions uses the service-linked role named **AWSServiceRoleForUserSubscriptions** – Provides access for User Subscriptions to your IAM Identity Center resources to automatically update your subscriptions.
+User Subscriptions uses the service-linked role named **AWSServiceRoleForUserSubscriptions**. This role provides access for User Subscriptions to your IAM Identity Center resources in order to automatically update your subscriptions.
@@ -28 +28 @@ The AWSServiceRoleForUserSubscriptions service-linked role trusts the following
-The role permissions policy named AWSServiceRoleForUserSubscriptionPolicy allows User Subscriptions to complete the following actions on the specified resources:
+The role permissions policy named [AWSServiceRoleForUserSubscriptions](./managed-policy.html#amazonq-policy-AWSServiceRoleForUserSubscriptions) allows User Subscriptions to complete the following actions on the specified resources:
@@ -45,0 +46,2 @@ Action: `sso:ListInstances` on `*`
+Action: `sso-directory:DescribeUser` on `*`
+