AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-03-23 · Security-related medium

File: IAM/latest/UserGuide/access_policies_job-functions.md

Summary

Added important note about storage service access and updated policy description with ReadOnlyAccess link

Security assessment

Clarifies that ReadOnlyAccess grants access to read data in storage services and references a more restrictive policy. This addresses potential unintended data exposure risks.

Diff

diff --git a/IAM/latest/UserGuide/access_policies_job-functions.md b/IAM/latest/UserGuide/access_policies_job-functions.md
index 9f428425c..25f2d8696 100644
--- a/IAM/latest/UserGuide/access_policies_job-functions.md
+++ b/IAM/latest/UserGuide/access_policies_job-functions.md
@@ -128,0 +129,4 @@ Allows Amazon VPC to create and manage logs in CloudWatch Logs on the user's beh
+###### Important
+
+This user will also have access to read data in storage services like Amazon S3 buckets and Amazon DynamoDB tables.
+
@@ -131 +135 @@ Allows Amazon VPC to create and manage logs in CloudWatch Logs on the user's beh
-**Policy description:** This policy grants permissions to list, get, describe, and otherwise view resources and their attributes. It does not include mutating functions like create or delete. This policy does include read-only access to security-related AWS services, such as AWS Identity and Access Management and AWS Billing and Cost Management. View the policy for the full list of services and actions that this policy supports.
+**Policy description:** This policy grants permissions to list, get, describe, and otherwise view resources and their attributes. It does not include mutating functions like create or delete. This policy does include read-only access to security-related AWS services, such as AWS Identity and Access Management and AWS Billing and Cost Management. View the policy for the full list of services and actions that this policy supports. For more information about the managed policy, see [ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html) in _AWS Managed Policy Reference Guide_. If you need a similar policy that does not grant access to read data in storage services, see View-only user job function.