AWS amazonq documentation change
Summary
Restructured IAM policy examples, added explicit trust policy requirements for Amazon Q service principal, and included new sections about S3 access requirements for Azure AD App-Only authentication and VPC permissions.
Security assessment
The changes enhance IAM policy documentation by adding explicit trust relationships with conditions (aws:SourceAccount and aws:SourceArn) and clarify security requirements for S3 access in specific scenarios. While these are security best practices, there's no evidence of addressing a specific disclosed vulnerability.
Diff
diff --git a/amazonq/latest/qbusiness-ug/sharepoint-cloud-iam-role.md index e484bfdbc..e07a52e0a 100644 --- a/amazonq/latest/qbusiness-ug/sharepoint-cloud-iam-role.md +++ b/amazonq/latest/qbusiness-ug/sharepoint-cloud-iam-role.md @@ -25,2 +24,0 @@ To connect your data source connector to Amazon Q, you must give Amazon Q an IAM - * Permission to access the SSL certificate stored in your Amazon S3 bucket. - @@ -35,15 +33 @@ To connect your data source connector to Amazon Q, you must give Amazon Q an IAM - "Statement": [{ - "Sid": "AllowsAmazonQToGetS3Objects", - "Action": [ - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::{{input_bucket_name}}/*" - ], - "Effect": "Allow", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "{{account_id}}" - } - } - }, + "Statement": [ @@ -100,0 +85,14 @@ To connect your data source connector to Amazon Q, you must give Amazon Q an IAM + } + + +**To allow Amazon Q to assume a role, you must also use the following trust policy:** + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowsAmazonQServicePrincipal", + "Effect": "Allow", + "Principal": { + "Service": "qbusiness.amazonaws.com" @@ -101,0 +100,51 @@ To connect your data source connector to Amazon Q, you must give Amazon Q an IAM + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "{{source_account}}" + }, + "ArnEquals": { + "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" + } + } + } + ] + } + +For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds). + +**To ensure that Amazon Q Business is able to access Amazon S3 you objects:** + +If you are using Azure AD App only authentication, you must ensure that Amazon Q Business is able access Amazon S3 to get the objects in your bucket. The following policy statement is provides permissions to access Amazon S3: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowsAmazonQToGetS3Objects", + "Action": [ + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::{{input_bucket_name}}/*" + ], + "Effect": "Allow", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "{{account_id}}" + } + } + } + ] + } + + +**If using a VPC:** + +If you are using a VPC, you must ensure that the permissions included in the following policy statement are included in your policy statement: + + + { + "Version": "2012-10-17", + "Statement": [ + { @@ -176,26 +224,0 @@ To connect your data source connector to Amazon Q, you must give Amazon Q an IAM -**To allow Amazon Q to assume a role, you must also use the following trust policy:** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowsAmazonQToAssumeRoleForServicePrincipal", - "Effect": "Allow", - "Principal": { - "Service": "qbusiness.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "{{source_account}}" - }, - "ArnLike": { - "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" - } - } - } - ] - } - -For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).