AWS AmazonCloudWatch documentation change
Summary
Removed detailed S3 bucket and KMS key permission examples for source map handling
Security assessment
Removal of example IAM policies related to S3/KMS permissions, but no explicit evidence of addressing a security vulnerability. Changes appear to simplify documentation rather than fix a disclosed issue.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-permissions.md b/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-permissions.md index b618a5d43..e08963ce0 100644 --- a/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-permissions.md +++ b/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-permissions.md @@ -23,116 +22,0 @@ To be able to fully manage CloudWatch RUM, you must be signed in as an IAM user - * To enable JavaScript source maps in an app monitor, you will need to upload your source map files to a Amazon S3 bucket. Your IAM role or policy needs specific Amazon S3 permissions that allow creating Amazon S3 buckets, setting bucket policies, and managing files in the bucket. For security, scope these permissions to specific resources. The example policy below restricts access to buckets containing `rum` in their names and uses the `aws:ResourceAccount` condition key to limit permissions to the principal account only. - - { - "Sid": "AllowS3BucketCreationAndListing", - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:ListAllMyBuckets" - ], - "Resource": "arn:aws:s3:::*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowS3BucketActions", - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:ListBucket" - ], - "Resource": "arn:aws:s3:::*rum*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowS3BucketPolicyActions", - "Effect": "Allow", - "Action": [ - "s3:PutBucketPolicy", - "s3:GetBucketPolicy" - ], - "Resource": "arn:aws:s3:::*rum*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowS3ObjectActions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:AbortMultipartUpload" - ], - "Resource": "arn:aws:s3:::*rum*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } - - * To use your own AWS KMS keys for server-side encryption on your source map bucket, your IAM role or policy will need specific AWS KMS permissions that allows creating a key, updating the key policy, using the AWS KMS key with Amazon S3 and setting the encryption configuration of your Amazon S3 bucket. For security, scope these permissions to specific purposes. The example below restricts access to keys for a specific region and accountId and has similar S3 restrictions as the above example. - - { - "Sid": "AllowKMSKeyCreation", - "Effect": "Allow", - "Action": [ - "kms:CreateKey", - "kms:CreateAlias" - ], - "Resource": "*" - }, - { - "Sid": "KMSReadPermissions", - "Effect": "Allow", - "Action": [ - "kms:ListAliases" - ], - "Resource": "*" - }, - { - "Sid": "AllowUpdatingKeyPolicy", - "Effect": "Allow", - "Action": [ - "kms:PutKeyPolicy", - "kms:GetKeyPolicy", - "kms:ListKeyPolicies" - ], - "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*" - }, - { - "Sid": "AllowUseOfKMSKeyForS3", - "Effect": "Allow", - "Action": [ - "kms:DescribeKey", - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*" - }, - { - "Sid": "AllowS3EncryptionConfiguration", - "Effect": "Allow", - "Action": [ - "s3:PutEncryptionConfiguration", - "s3:GetEncryptionConfiguration" - ], - "Resource": "arn:aws:s3:::*rum*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } -