AWS drs documentation change
Summary
Updated AWS managed policies documentation to emphasize least-privilege recommendations and clarify policy management
Security assessment
The changes emphasize security best practices by recommending customer-managed policies for least-privilege access, but there's no evidence of addressing a specific security vulnerability.
Diff
diff --git a/drs/latest/userguide/security-iam-awsmanpol.md b/drs/latest/userguide/security-iam-awsmanpol.md index d549af14a..b10ccf9b1 100644 --- a/drs/latest/userguide/security-iam-awsmanpol.md +++ b/drs/latest/userguide/security-iam-awsmanpol.md @@ -9 +9 @@ Updates -To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the _IAM User Guide_. +An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. @@ -11 +11 @@ To add permissions to users, groups, and roles, it is easier to use AWS managed -AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions. +Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. @@ -13 +13,3 @@ AWS services maintain and update AWS managed policies. You can't change the perm -Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the _IAM User Guide_. AWS Elastic Disaster Recovery read-only permissions are included in the general IAM ReadOnlyAccess policy. +You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. + +For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the _IAM User Guide_.