AWS documentdb high security documentation change
Summary
Revised IAM policy with granular permissions for DocumentDB CloudFormation setup
Security assessment
Restructured IAM policy implements least-privilege principles with resource-specific permissions and KMS encryption requirements
Diff
diff --git a/documentdb/latest/developerguide/quick_start_cfn.md b/documentdb/latest/developerguide/quick_start_cfn.md index 6dc4fe5a1..a86ab33a8 100644 --- a//documentdb/latest/developerguide/quick_start_cfn.md +++ b//documentdb/latest/developerguide/quick_start_cfn.md @@ -61,0 +62,2 @@ The following policy outlines the additional permissions that are required to cr +In the following examples, replace each `user input placeholder` with your resource's information. + @@ -66,0 +69 @@ The following policy outlines the additional permissions that are required to cr + "Sid": "DocDBPermissions", @@ -69,25 +72,25 @@ The following policy outlines the additional permissions that are required to cr - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:CreateRole", - "iam:CreatePolicy", - "iam:PutRolePolicy", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:GetAccountSummary", - "iam:ListAccountAliases", - "iam:GetRole", - "iam:DeleteRole", - "iam:RemoveRoleFromInstanceProfile", - "iam:DeleteRolePolicy", - "iam:DeleteInstanceProfile", - "cloudformation:*Stack", - "ec2:DescribeKeyPairs", - "ec2:*Vpc", - "ec2:DescribeInternetGateways", - "ec2:*InternetGateway", - "ec2:createTags", - "ec2:*VpcAttribute", - "ec2:DescribeRouteTables", - "ec2:*RouteTable", - "ec2:*Subnet", - "ec2:*SecurityGroup", + "rds:CreateDBCluster", + "rds:DeleteDBCluster", + "rds:ModifyDBCluster", + "rds:DescribeDBClusters", + "rds:CreateDBInstance", + "rds:DeleteDBInstance", + "rds:ModifyDBInstance", + "rds:DescribeDBInstances", + "rds:CreateDBSubnetGroup", + "rds:DeleteDBSecurityGroup", + "rds:DescribeDBSubnetGroups" + ], + "Resource": [ + "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:cluster:*", + "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:db:*", + "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:subgrp:*" + ] + }, + { + "Sid": "EC2NetworkingPermissions", + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:DescribeSecurityGroups", @@ -95,6 +98,15 @@ The following policy outlines the additional permissions that are required to cr - "ec2:DescribeVpcEndpoints", - "ec2:*VpcEndpoint", - "ec2:*SubnetAttribute", - "ec2:*Route", - "ec2:*Instances", - "ec2:DeleteVpcEndpoints" + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets" + ], + "Resource": [ + "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:security-group/*", + "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:vpc/*", + "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:subnet/*" + ] + }, + { + "Sid": "EC2DescribePermissions", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones" @@ -105 +117,45 @@ The following policy outlines the additional permissions that are required to cr - "Sid": "iamPassRole", + "Sid": "CloudWatchLogsPermissions", + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams" + ], + "Resource": [ + "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT_ID}:log-group:/aws/docdb/*", + "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT_ID}:log-group:/aws/docdb/*:log-stream:*" + ] + }, + { + "Sid": "KMSPermissions", + "Effect": "Allow", + "Action": [ + "kms:CreateKey", + "kms:DescribeKey", + "kms:EnableKey", + "kms:ListKeys", + "kms:PutKeyPolicy" + ], + "Resource": "arn:aws:kms:{AWS_REGION}:{AWS_ACCOUNT_ID}:key/*" + }, + { + "Sid": "KMSEncryption", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "arn:aws:kms:{AWS_REGION}:{AWS_ACCOUNT_ID}:key/*", + "Condition": { + "StringEquals": { + "kms:ViaService": [ + "rds.{AWS_REGION}.amazonaws.com" + ] + } + } + }, + { + "Sid": "IAMServiceLinkedRole", @@ -107,2 +163,2 @@ The following policy outlines the additional permissions that are required to cr - "Action": "iam:PassRole", - "Resource": "*", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::{AWS_ACCOUNT_ID}:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", @@ -111 +167 @@ The following policy outlines the additional permissions that are required to cr - "iam:PassedToService": "rds.amazonaws.com" + "iam:AWSServiceName": "rds.amazonaws.com" @@ -118,4 +173,0 @@ The following policy outlines the additional permissions that are required to cr -###### Note - -The bolded permissions in the preceding policy are only required to delete a stack: `iam:DeleteRole`, `iam:RemoveRoleFromInstanceProfile`, `iam:DeleteRolePolicy`, `iam:DeleteInstanceProfile`, and `ec2:DeleteVpcEndpoints`. Also note that `ec2:*Vpc` grants `ec2:DeleteVpc` permissions. -