AWS connect high security documentation change
Summary
Updated IAM policy example to restrict actions and enforce resource tag conditions
Security assessment
Policy changed from overly permissive ('Action':'*','Resource':'*') to specific Connect actions with tag-based conditions, addressing excessive permissions risk
Diff
diff --git a/connect/latest/adminguide/tagging-connect-instance.md b/connect/latest/adminguide/tagging-connect-instance.md index 5cec44f63..17bef4bb9 100644 --- a/connect/latest/adminguide/tagging-connect-instance.md +++ b/connect/latest/adminguide/tagging-connect-instance.md @@ -73 +73 @@ For TBAC on instances, you can define IAM policies based on instance tags and as -**Scenario 1** : Controlling access to a specific instance through an IAM role using tags associated with the instance. The following policy allows access only instances which are tagged with key:`Environment` and value:`Dev`. +**Scenario 1** : Controlling access to a specific Amazon Connect instance through an IAM role using tags associated with the instance. The following policy allows access only to instances which are tagged with key:`Environment` and value:`Dev`. @@ -81,2 +81,7 @@ For TBAC on instances, you can define IAM policies based on instance tags and as - "Action":"*", - "Resource":"*" + "Action": "connect:*", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Environment": "Dev" + } + } @@ -86 +91 @@ For TBAC on instances, you can define IAM policies based on instance tags and as - "Action":"connect:DescribeInstance", + "Action": "connect:*", @@ -90,3 +95 @@ For TBAC on instances, you can define IAM policies based on instance tags and as - "aws:ResourceTag/Environment":[ - "Dev" - ] + "aws:ResourceTag/Environment": "Dev"