AWS artifact documentation change
Summary
Updated IAM policy examples for AWS Artifact in GovCloud with expanded actions, resource patterns, and condition keys. Added service-linked role creation permissions, refined agreement management policies, and improved resource scoping with conditions.
Security assessment
Changes focus on improving least-privilege practices by adding granular actions (e.g., ListReports, GetNdaForAgreement), implementing resource conditions, and using service-linked roles. While these are security improvements, there's no evidence they address a specific disclosed vulnerability.
Diff
diff --git a/artifact/latest/ug/example-govcloud-iam-policies.md b/artifact/latest/ug/example-govcloud-iam-policies.md index ef118062e..8e9cc2903 100644 --- a//artifact/latest/ug/example-govcloud-iam-policies.md +++ b//artifact/latest/ug/example-govcloud-iam-policies.md @@ -13 +13 @@ The following example policies show permissions that you can assign to IAM users - * Example policies to manage reports + * Example policies to manage AWS reports @@ -37 +37,4 @@ The following policy grants permission to download all reports. - "artifact:Get" + "artifact:ListReports", + "artifact:GetReportMetadata", + "artifact:GetReport", + "artifact:GetTermForReport" @@ -39,3 +42 @@ The following policy grants permission to download all reports. - "Resource": [ - "arn:aws:artifact:::report-package/*" - ] + "Resource": "*" @@ -55 +56,4 @@ The following policy grants permission to download only the SOC, PCI, and ISO re - "artifact:Get" + "artifact:ListReports", + "artifact:GetReportMetadata", + "artifact:GetReport", + "artifact:GetTermForReport" @@ -57,4 +61,10 @@ The following policy grants permission to download only the SOC, PCI, and ISO re - "Resource": [ - "arn:aws:artifact:::report-package/Certifications and Attestations/SOC/*", - "arn:aws:artifact:::report-package/Certifications and Attestations/PCI/*", - "arn:aws:artifact:::report-package/Certifications and Attestations/ISO/*" + "Resource": "*", + "Condition": { + "StringEquals": { + "artifact:ReportSeries": [ + "SOC", + "PCI", + "ISO" + ], + "artifact:ReportCategory": [ + "Certifications And Attestations" @@ -62,0 +73,2 @@ The following policy grants permission to download only the SOC, PCI, and ISO re + } + } @@ -77 +89,2 @@ The following policy grants permission to download all agreements. IAM users mus - "artifact:DownloadAgreement" + "artifact:ListAgreements", + "artifact:ListCustomerAgreements" @@ -81,0 +95,18 @@ The following policy grants permission to download all agreements. IAM users mus + }, + { + "Sid": "AWSAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetAgreement", + "artifact:AcceptNdaForAgreement", + "artifact:GetNdaForAgreement" + ], + "Resource": "arn:aws-us-gov:artifact:::agreement/*" + }, + { + "Sid": "CustomerAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetCustomerAgreement" + ], + "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*" @@ -86 +117 @@ The following policy grants permission to download all agreements. IAM users mus -The following policy grants permission to accept an agreement. +The following policy grants permission to accept all agreement. @@ -95,2 +126 @@ The following policy grants permission to accept an agreement. - "artifact:AcceptAgreement", - "artifact:DownloadAgreement" + "artifact:ListAgreements" @@ -100,0 +131,11 @@ The following policy grants permission to accept an agreement. + }, + { + "Sid": "AWSAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetAgreement", + "artifact:AcceptNdaForAgreement", + "artifact:GetNdaForAgreement", + "artifact:AcceptAgreement" + ], + "Resource": "arn:aws-us-gov:artifact:::agreement/*" @@ -105 +146 @@ The following policy grants permission to accept an agreement. -The following policy grants permission to terminate an agreement. +The following policy grants permission to terminate all agreement. @@ -111,0 +153,10 @@ The following policy grants permission to terminate an agreement. + "Sid": "ListAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:ListAgreements", + "artifact:ListCustomerAgreements" + ], + "Resource": "*" + }, + { + "Sid": "CustomerAgreementActions", @@ -113,0 +165 @@ The following policy grants permission to terminate an agreement. + "artifact:GetCustomerAgreement", @@ -116,3 +168 @@ The following policy grants permission to terminate an agreement. - "Resource": [ - "*" - ] + "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*" @@ -123 +173 @@ The following policy grants permission to terminate an agreement. -The following policy grants permissions to manage single account agreements. +The following policy grants permissions to view and execute account level agreements. @@ -129,0 +180,21 @@ The following policy grants permissions to manage single account agreements. + "Sid": "ListAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:ListAgreements", + "artifact:ListCustomerAgreements" + ], + "Resource": "*" + }, + { + "Sid": "AWSAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetAgreement", + "artifact:AcceptNdaForAgreement", + "artifact:GetNdaForAgreement", + "artifact:AcceptAgreement" + ], + "Resource": "arn:aws-us-gov:artifact:::agreement/*" + }, + { + "Sid": "CustomerAgreementActions", @@ -132,2 +203 @@ The following policy grants permissions to manage single account agreements. - "artifact:AcceptAgreement", - "artifact:DownloadAgreement", + "artifact:GetCustomerAgreement", @@ -136,4 +206 @@ The following policy grants permissions to manage single account agreements. - "Resource": [ - "arn:aws:artifact::*:customer-agreement/*", - "arn:aws:artifact:::agreement/*" - ] + "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*" @@ -152,0 +220 @@ The following policy grants permission to create the IAM role that AWS Artifact + "Sid": "CreateServiceLinkedRoleForOrganizationsIntegration", @@ -154,12 +222,5 @@ The following policy grants permission to create the IAM role that AWS Artifact - "Action": "iam:ListRoles", - "Resource": "arn:aws:iam::*:role/*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateRole", - "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync" - }, - { - "Effect": "Allow", - "Action": "iam:AttachRolePolicy", - "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync", + "Action": [ + "iam:CreateServiceLinkedRole", + "iam:GetRole" + ], + "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact", @@ -167,2 +228,4 @@ The following policy grants permission to create the IAM role that AWS Artifact - "ArnEquals": { - "iam:PolicyARN": "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync" + "StringEquals": { + "iam:AWSServiceName": [ + "artifact.amazonaws.com" + ] @@ -201,0 +265 @@ The following policy grants permissions to manage agreements for the management + "Sid": "ListAgreementActions", @@ -204,3 +268,2 @@ The following policy grants permissions to manage agreements for the management - "artifact:AcceptAgreement", - "artifact:DownloadAgreement", - "artifact:TerminateAgreement" + "artifact:ListAgreements", + "artifact:ListCustomerAgreements" @@ -208,4 +271 @@ The following policy grants permissions to manage agreements for the management - "Resource": [ - "arn:aws:artifact::*:customer-agreement/*", - "arn:aws:artifact:::agreement/*" - ] + "Resource": "*" @@ -213,0 +274 @@ The following policy grants permissions to manage agreements for the management + "Sid": "AWSAgreementActions", @@ -215,2 +276,7 @@ The following policy grants permissions to manage agreements for the management - "Action": "iam:ListRoles", - "Resource": "arn:aws:iam::*:role/*" + "Action": [ + "artifact:GetAgreement", + "artifact:AcceptNdaForAgreement", + "artifact:GetNdaForAgreement", + "artifact:AcceptAgreement" + ], + "Resource": "arn:aws-us-gov:artifact:::agreement/*" @@ -218,0 +285 @@ The following policy grants permissions to manage agreements for the management + "Sid": "CustomerAgreementActions", @@ -220,2 +287,5 @@ The following policy grants permissions to manage agreements for the management - "Action": "iam:CreateRole", - "Resource": "arn:aws:iam::*:role/service-role/AWSArtifactAccountSync" + "Action": [ + "artifact:GetCustomerAgreement",