AWS notifications documentation change
Summary
Added new examples for notification configuration permissions, including full CRUD access and email association permissions
Security assessment
The change adds new permission examples but does not address any specific security vulnerabilities or add new security-related documentation
Diff
diff --git a/notifications/latest/userguide/resource-level-permissions.md index 336f7c71c..24487cf56 100644 --- a/notifications/latest/userguide/resource-level-permissions.md +++ b/notifications/latest/userguide/resource-level-permissions.md @@ -5 +5 @@ -Supported resource-level permissions for User Notifications API actions Example 1: Administrator access Example 2: ReadOnly access Example 3: Deny a user the ability to update a notification configuration +Supported resource-level permissions for User Notifications API actions Example 1: Full access Example 2: ReadOnly access Example 3: Deny a user the ability to update a notification configuration Example 4: Allow users to create notification configurations and associate emails to them Example 5: Allow users full create, read, update, and delete (CRUD) access. @@ -62 +62 @@ UntagResource | `arn:aws:notifications-contacts::`accountId`:emailcontact/`emai -## Example 1: Administrator access +## Example 1: Full access @@ -120,0 +121,45 @@ This policy denies a user the ability to update a notification configuration. +## Example 4: Allow users to create notification configurations and associate emails to them + +This policy allows users to create notification configurations and associate emails to those configurations. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "notifications:RegisterNotificationHub", + "notifications:CreateNotificationConfiguration", + "notifications:CreateEventRule", + "notifications:AssociateChannel", + "notifications-contacts:CreateEmailContact", + "notifications-contacts:SendActivationCode", + "notifications-contacts:ActivateEmailContact" + ], + "Resource": "*" + } + ] + } + +## Example 5: Allow users full create, read, update, and delete (CRUD) access. + +This policy allows users full CRUD access. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "notifications:*", + "notifications-contacts:*" + ], + "Resource": "*" + } + ] + } +