AWS artifact high security documentation change
Summary
Added AWS GovCloud policy examples, removed region note, and updated managed policy change log to reflect artifact:Get permission removal.
Security assessment
Explicit removal of the artifact:Get permission from AWSArtifactReportsReadOnlyAccess indicates a security hardening measure to reduce excessive permissions.
Diff
diff --git a/artifact/latest/ug/security-iam-awsmanpol.md b/artifact/latest/ug/security-iam-awsmanpol.md index 01831f7d6..b4f39c03d 100644 --- a//artifact/latest/ug/security-iam-awsmanpol.md +++ b//artifact/latest/ug/security-iam-awsmanpol.md @@ -9,4 +8,0 @@ AWSArtifactReportsReadOnlyAccessAWSArtifactAgreementsReadOnlyAccessAWSArtifactAg -###### Note - -The content of this page is only applicable to commercial AWS [Regions](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#region), and does not currently apply to AWS GovCloud (US) Regions. - @@ -71,0 +68,3 @@ This policy includes the following permissions. +AWS + + @@ -112,0 +112,46 @@ This policy includes the following permissions. + +AWS GovCloud (US) + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListAgreementsActions", + "Effect": "Allow", + "Action": [ + "artifact:ListAgreements", + "artifact:ListCustomerAgreements" + ], + "Resource": "*" + }, + { + "Sid": "GetCustomerAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetCustomerAgreement" + ], + "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*" + }, + { + "Sid": "AWSOrganizationActions", + "Effect": "Allow", + "Action": [ + "organizations:ListAWSServiceAccessForOrganization", + "organizations:DescribeOrganization" + ], + "Resource": "*" + }, + { + "Sid": "GetRole", + "Effect": "Allow", + "Action": [ + "iam:GetRole" + ], + "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact" + } + ] + } + + @@ -131,0 +177,3 @@ This policy includes the following permissions. +AWS + + @@ -200,0 +249,74 @@ This policy includes the following permissions. + +AWS GovCloud (US) + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ListAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:ListAgreements", + "artifact:ListCustomerAgreements" + ], + "Resource": "*" + }, + { + "Sid": "AWSAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetAgreement", + "artifact:AcceptNdaForAgreement", + "artifact:GetNdaForAgreement", + "artifact:AcceptAgreement" + ], + "Resource": "arn:aws-us-gov:artifact:::agreement/*" + }, + { + "Sid": "CustomerAgreementActions", + "Effect": "Allow", + "Action": [ + "artifact:GetCustomerAgreement", + "artifact:TerminateAgreement" + ], + "Resource": "arn:aws-us-gov:artifact::*:customer-agreement/*" + }, + { + "Sid": "CreateServiceLinkedRoleForOrganizationsIntegration", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": [ + "artifact.amazonaws.com" + ] + } + } + }, + { + "Sid": "GetRoleToCheckForRoleExistence", + "Effect": "Allow", + "Action": [ + "iam:GetRole" + ], + "Resource": "arn:aws-us-gov:iam::*:role/aws-service-role/artifact.amazonaws.com/AWSServiceRoleForArtifact" + }, + { + "Sid": "EnableServiceTrust", + "Effect": "Allow", + "Action": [ + "organizations:EnableAWSServiceAccess", + "organizations:ListAWSServiceAccessForOrganization", + "organizations:DescribeOrganization" + ], + "Resource": "*" + } + ] + } + + @@ -207 +329 @@ Change | Description | Date -AWS Artifact started tracking changes | AWS Artifact started tracking changes for its AWS managed policies and introduced AWSArtifactReportsReadOnlyAccess. | 2023-12-15 +Updated AWS Reports managed polices | Updated AWSArtifactReportsReadOnlyAccess managed policy to remove the artifact:get permission. | 2025-03-21 @@ -209 +331 @@ Introduced AWS Agreements managed polices | Introduced AWSArtifactAgreementsRe -Updated AWS Reports managed policy | Removed legacy permission from AWSArtifactReportsReadOnlyAccess managed policy. | 2025-03-03 +AWS Artifact started tracking changes | AWS Artifact started tracking changes for its AWS managed policies and introduced AWSArtifactReportsReadOnlyAccess. | 2023-12-15