AWS servicecatalog documentation change
Summary
Updated terminology from 'tag-sync' to 'tag-sync task', expanded IAM role configuration details, added managed policy references, and clarified permissions requirements
Security assessment
The changes enhance documentation about IAM role requirements and security best practices (managed policies, trust policies, inline policies) but do not address a specific disclosed vulnerability. The typo fix for 'sqs:TagQueue' prevents potential misconfigurations but isn't explicitly security-related.
Diff
diff --git a/servicecatalog/latest/arguide/app-tag-sync.md b/servicecatalog/latest/arguide/app-tag-sync.md index 8ded11d18..f3d1c0525 100644 --- a/servicecatalog/latest/arguide/app-tag-sync.md +++ b/servicecatalog/latest/arguide/app-tag-sync.md @@ -5 +5 @@ -Tag-sync required permissionsCreate a tag-sync +Tag-sync task required permissionsCreate a tag-sync task @@ -7 +7 @@ Tag-sync required permissionsCreate a tag-sync -# Resource tag-sync +# Resource tag-sync tasks @@ -9 +9 @@ Tag-sync required permissionsCreate a tag-sync -An automatic tag-synchronization of application resources (_tag-sync_) is an application resource management strategy that works by automatically adding and removing [The awsApplication tag](./ar-user-tags.html) from resources to manage their inclusion in an application. When you create a tag-sync in the application, you specify a tag key-value pair to sync to the application, such as `Project:Blue`. The tag-sync then adds any resources tagged with `Project:Blue` to the application by adding the `awsApplication` tag to those resources. +An automatic tag-synchronization of application resources (a _tag-sync task_) is an application resource management strategy that works by automatically adding and removing [The awsApplication tag](./ar-user-tags.html) from resources to manage their inclusion in an application. When you create a tag-sync task in the application, you specify a tag key-value pair to sync to the application, such as `Project:Blue`. The task then adds any resources tagged with `Project:Blue` to the application by adding the `awsApplication` tag to those resources. @@ -11 +11 @@ An automatic tag-synchronization of application resources (_tag-sync_) is an app -When you perform the following tasks, AWS adds all resources tagged with the `Project:Blue` tag to the application by applying the `awsApplication` tag to those resources: +When you perform the following actions, AWS adds all resources tagged with the `Project:Blue` tag to the application by applying the `awsApplication` tag to those resources: @@ -15 +15 @@ When you perform the following tasks, AWS adds all resources tagged with the `Pr - * Create a tag-sync in an existing application using the `Project:Blue` tag. + * Create a tag-sync task in an existing application using the `Project:Blue` tag. @@ -20 +20 @@ When you perform the following tasks, AWS adds all resources tagged with the `Pr -After you configure the tag-sync, it continuously manages the application's resources, adding or removing resources as they are tagged or untagged with the specified key-value pair. +After you configure the tag-sync task, it continuously manages the application's resources, adding or removing resources as they are tagged or untagged with the specified key-value pair. @@ -22 +22 @@ After you configure the tag-sync, it continuously manages the application's reso -When the tag-sync is active, if you tag a resource with the `Project:Blue` tag, the tag-sync adds that resource to the application by applying the `awsApplication` tag to it. +When the task is active, if you tag a resource with the `Project:Blue` tag, the tag-sync adds that resource to the application by applying the `awsApplication` tag to it. @@ -28 +28 @@ When you remove the `Project:Blue` tag from a resource, the tag-sync removes the - * Tag-sync required permissions + * Tag-sync task required permissions @@ -30 +30 @@ When you remove the `Project:Blue` tag from a resource, the tag-sync removes the - * Create a tag-sync + * Create a tag-sync task @@ -35 +35 @@ When you remove the `Project:Blue` tag from a resource, the tag-sync removes the -## Tag-sync required permissions +## Tag-sync task required permissions @@ -37 +37 @@ When you remove the `Project:Blue` tag from a resource, the tag-sync removes the -Creating and managing application tag-sync tasks requires you to specify an IAM role that has permissions to tag and untag application resources. This role must also have a [trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) attached that allows AWS Resource Groups to assume the role and perform these tasks on your behalf. +Creating and managing application tag-sync tasks requires you to specify or create an IAM role that allows the tag-sync task to manage the application resources. @@ -39 +39 @@ Creating and managing application tag-sync tasks requires you to specify an IAM -**Sample trust policy** : +When configuring a tag-sync task, AWS recommends creating and using a new role to ensure the role includes the correct trust permissions. With this option, AWS creates a role named _tag-sync-role-`region`-`uniqueID`_. This role is comprised of the following permissions: @@ -40,0 +41 @@ Creating and managing application tag-sync tasks requires you to specify an IAM + * The [`ResourceGroupsTaggingAPITagUntagSupportedResources`](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ResourceGroupsTaggingAPITagUntagSupportedResources.html) AWS managed policy— Allows the tag-sync task to tag and untag resources. You can modify the role’s resource permissions based on your application needs by adding or removing a specific resource's `TagResource` and `UntagResource` permissions. For example, add `amplify:TagResource` and `amplify:UntagResource` to allow the tag-sync task to manage tags for AWS Amplify resources. @@ -42,13 +43,8 @@ Creating and managing application tag-sync tasks requires you to specify an IAM - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Principal": { - "Service": "resource-groups.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } + * A role [trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts)— Allows AWS Resource Groups to assume the role and perform related tasks on your behalf. + + * An [inline policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies)— Allows AWS Resource Groups to group and ungroup resources. + + + + +###### Important @@ -56 +52,5 @@ Creating and managing application tag-sync tasks requires you to specify an IAM -After specifying the trust policy for the role, you must give the role permissions to tag and untag application resources. There are two options to apply permissions. +To avoid disrupting the tag-sync task, do not delete this role or edit its trust or inline policies. + +If you choose to use an existing IAM role, ensure it includes the following permissions: + + * Permissions to tag and untag application resources. @@ -64 +64 @@ Use both the AWS Resource Groups [`ResourceGroupsTaggingAPITagUntagSupportedReso -If you choose not to use AWS managed policies, you must manually configure your policy to include all of the permissions required to tag and untag your specific resources. For example, add the `sqs:TagQue` permission if you have an Amazon SQS queue resource in your application. In addition to the resource-specific permissions, your policy must include the following Resource Groups Tagging API permissions: +If you choose not to use AWS managed policies, you must manually configure your policy to include all of the permissions required to tag and untag your specific resources. For example, add the `sqs:TagQueue` permission if you have an Amazon SQS queue resource in your application. In addition to the resource-specific permissions, your policy must include the following Resource Groups Tagging API permissions: @@ -75,0 +76,16 @@ If you choose not to use AWS managed policies, you must manually configure your + * A [trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) attached that allows AWS Resource Groups to assume the role and perform these tasks on your behalf. The following is an example trust policy. + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement1", + "Effect": "Allow", + "Principal": { + "Service": "resource-groups.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + @@ -79 +95 @@ If you choose not to use AWS managed policies, you must manually configure your -## Create a tag-sync +## Create a tag-sync task @@ -81 +97 @@ If you choose not to use AWS managed policies, you must manually configure your -This section provides instructions to create a tag-sync for resources in an existing application using either myApplications in the AWS Management Console or with the AWS API. +This section provides instructions to create a tag-sync task for resources in an existing application using either myApplications in the AWS Management Console or with the AWS API. @@ -91 +107 @@ AWS Resource Groups API -###### To create a tag-sync +###### To create a tag-sync task @@ -101 +117 @@ AWS Resource Groups API - * **RoleARN** — The ARN of the role that AWS Resource Groups assumes when performing the tag-sync to apply the `awsApplication` tag to resources. This role must have the tagging permissions to all resources you want to include in the application. For more information, review Tag-sync required permissions. + * **RoleARN** — The ARN of the role that AWS Resource Groups assumes when performing the tag-sync task to apply the `awsApplication` tag to resources. This role must have the tagging permissions to all resources you want to include in the application. For more information, review Tag-sync task required permissions.