AWS AmazonElastiCache medium security documentation change
Summary
Updated S3 bucket policy example with explicit service principal and resource restrictions
Security assessment
Added explicit service principal (ap-east-1.elasticache-snapshot.amazonaws.com) and narrowed resource scope in IAM policy example, addressing potential over-permissive resource wildcards and improving least-privilege configuration
Diff
diff --git a/AmazonElastiCache/latest/dg/backups-exporting.md b/AmazonElastiCache/latest/dg/backups-exporting.md index 18998f6a4..ddbfd4e7d 100644 --- a//AmazonElastiCache/latest/dg/backups-exporting.md +++ b//AmazonElastiCache/latest/dg/backups-exporting.md @@ -102 +102,3 @@ To create the proper permissions on an Amazon S3 bucket, take the steps describe -Now you've created your S3 bucket and granted ElastiCache permissions to access it. Next, you can use the ElastiCache console, the AWS CLI, or the ElastiCache API to export your snapshot to it. The following examples assume that the IAM identity of the caller has the following additional S3 specific IAM permissions. +Now you've created your S3 bucket and granted ElastiCache permissions to access it. Next, you can use the ElastiCache console, the AWS CLI, or the ElastiCache API to export your snapshot to it. + +The following is an example of what the updated policy might look like. @@ -107 +109,4 @@ Now you've created your S3 bucket and granted ElastiCache permissions to access - "Statement": [{ + "Id": "Policy15397346", + "Statement": [ + { + "Sid": "Stmt15399484", @@ -109,10 +114,11 @@ Now you've created your S3 bucket and granted ElastiCache permissions to access - "Action": [ - "s3:GetBucketLocation", - "s3:ListAllMyBuckets", - "s3:PutObject", - "s3:GetObject", - "s3:DeleteObject", - "s3:ListBucket" - ], - "Resource": "arn:aws:s3:::*" - }] + + "Principal": { + "Service": "ap-east-1.elasticache-snapshot.amazonaws.com" + }, + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::hkg-elasticache-backup", + "arn:aws:s3:::hkg-elasticache-backup/*" + ] + } + ]