AWS Security ChangesHomeSearch

AWS documentdb high security documentation change

Service: documentdb · 2025-04-11 · Security-related high

File: documentdb/latest/developerguide/quick_start_cfn.md

Summary

Revised IAM policy with granular permissions for DocumentDB CloudFormation setup

Security assessment

Restructured IAM policy implements least-privilege principles with resource-specific permissions and KMS encryption requirements

Diff

diff --git a/documentdb/latest/developerguide/quick_start_cfn.md b/documentdb/latest/developerguide/quick_start_cfn.md
index 6dc4fe5a1..a86ab33a8 100644
--- a//documentdb/latest/developerguide/quick_start_cfn.md
+++ b//documentdb/latest/developerguide/quick_start_cfn.md
@@ -61,0 +62,2 @@ The following policy outlines the additional permissions that are required to cr
+In the following examples, replace each `user input placeholder` with your resource's information.
+    
@@ -66,0 +69 @@ The following policy outlines the additional permissions that are required to cr
+                "Sid": "DocDBPermissions",
@@ -69,25 +72,25 @@ The following policy outlines the additional permissions that are required to cr
-                    "iam:GetSSHPublicKey",
-                    "iam:ListSSHPublicKeys",
-                    "iam:CreateRole",
-                    "iam:CreatePolicy",
-                    "iam:PutRolePolicy",
-                    "iam:CreateInstanceProfile",
-                    "iam:AddRoleToInstanceProfile",
-                    "iam:GetAccountSummary",
-                    "iam:ListAccountAliases",
-                    "iam:GetRole",
-                    "iam:DeleteRole",
-                    "iam:RemoveRoleFromInstanceProfile",
-                    "iam:DeleteRolePolicy",
-                    "iam:DeleteInstanceProfile",
-                    "cloudformation:*Stack",
-                    "ec2:DescribeKeyPairs",
-                    "ec2:*Vpc",
-                    "ec2:DescribeInternetGateways",
-                    "ec2:*InternetGateway",
-                    "ec2:createTags",
-                    "ec2:*VpcAttribute",
-                    "ec2:DescribeRouteTables",
-                    "ec2:*RouteTable",
-                    "ec2:*Subnet",
-                    "ec2:*SecurityGroup",
+                    "rds:CreateDBCluster",
+                    "rds:DeleteDBCluster",
+                    "rds:ModifyDBCluster",
+                    "rds:DescribeDBClusters",
+                    "rds:CreateDBInstance",
+                    "rds:DeleteDBInstance",
+                    "rds:ModifyDBInstance",
+                    "rds:DescribeDBInstances",
+                    "rds:CreateDBSubnetGroup",
+                    "rds:DeleteDBSecurityGroup",
+                    "rds:DescribeDBSubnetGroups"
+                ],
+                "Resource": [
+                    "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:cluster:*",
+                    "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:db:*",
+                    "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:subgrp:*"
+                ]
+            },
+            {
+                "Sid": "EC2NetworkingPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:CreateSecurityGroup",
+                    "ec2:DeleteSecurityGroup",
+                    "ec2:DescribeSecurityGroups",
@@ -95,6 +98,15 @@ The following policy outlines the additional permissions that are required to cr
-                    "ec2:DescribeVpcEndpoints",
-                    "ec2:*VpcEndpoint",
-                    "ec2:*SubnetAttribute",
-                    "ec2:*Route",
-                    "ec2:*Instances",
-                    "ec2:DeleteVpcEndpoints"
+                    "ec2:RevokeSecurityGroupIngress",
+                    "ec2:DescribeVpcs",
+                    "ec2:DescribeSubnets"
+                ],
+                "Resource": [
+                    "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:security-group/*",
+                    "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:vpc/*",
+                    "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:subnet/*"
+                ]
+            },
+            {
+                "Sid": "EC2DescribePermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeAvailabilityZones"
@@ -105 +117,45 @@ The following policy outlines the additional permissions that are required to cr
-                "Sid": "iamPassRole",
+                "Sid": "CloudWatchLogsPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "cloudwatch:PutMetricData",
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents",
+                    "logs:DescribeLogStreams"
+                ],
+                "Resource": [
+                    "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT_ID}:log-group:/aws/docdb/*",
+                    "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT_ID}:log-group:/aws/docdb/*:log-stream:*"
+                ]
+            },
+            {
+                "Sid": "KMSPermissions",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:CreateKey",
+                    "kms:DescribeKey",
+                    "kms:EnableKey",
+                    "kms:ListKeys",
+                    "kms:PutKeyPolicy"
+                ],
+                "Resource": "arn:aws:kms:{AWS_REGION}:{AWS_ACCOUNT_ID}:key/*"
+            },
+            {
+                "Sid": "KMSEncryption",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Encrypt",
+                    "kms:Decrypt",
+                    "kms:GenerateDataKey"
+                ],
+                "Resource": "arn:aws:kms:{AWS_REGION}:{AWS_ACCOUNT_ID}:key/*",
+                "Condition": {
+                    "StringEquals": {
+                        "kms:ViaService": [
+                            "rds.{AWS_REGION}.amazonaws.com"
+                        ]
+                    }
+                }
+            },
+            {
+                "Sid": "IAMServiceLinkedRole",
@@ -107,2 +163,2 @@ The following policy outlines the additional permissions that are required to cr
-                "Action": "iam:PassRole",
-                "Resource": "*",
+                "Action": "iam:CreateServiceLinkedRole",
+                "Resource": "arn:aws:iam::{AWS_ACCOUNT_ID}:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
@@ -111 +167 @@ The following policy outlines the additional permissions that are required to cr
-                        "iam:PassedToService": "rds.amazonaws.com"
+                        "iam:AWSServiceName": "rds.amazonaws.com"
@@ -118,4 +173,0 @@ The following policy outlines the additional permissions that are required to cr
-###### Note
-
-The bolded permissions in the preceding policy are only required to delete a stack: `iam:DeleteRole`, `iam:RemoveRoleFromInstanceProfile`, `iam:DeleteRolePolicy`, `iam:DeleteInstanceProfile`, and `ec2:DeleteVpcEndpoints`. Also note that `ec2:*Vpc` grants `ec2:DeleteVpc` permissions. 
-