AWS Security ChangesHomeSearch

AWS tk-dotnet-refactoring medium security documentation change

Service: tk-dotnet-refactoring · 2025-04-11 · Security-related medium

File: tk-dotnet-refactoring/latest/userguide/security-iam-awsmanpol.md

Summary

Updated policy details including added condition key (aws:CallVia) for CreateTags, service name standardization (EC2 Systems Manager → Systems Manager), and restructured policy update entries with clearer formatting.

Security assessment

The addition of the aws:CallVia condition key to CreateTags permissions explicitly restricts how tagging actions can be invoked, addressing potential over-permission risks. This is a concrete security control improvement.

Diff

diff --git a/tk-dotnet-refactoring/latest/userguide/security-iam-awsmanpol.md b/tk-dotnet-refactoring/latest/userguide/security-iam-awsmanpol.md
index 86aa13510..da24bd622 100644
--- a//tk-dotnet-refactoring/latest/userguide/security-iam-awsmanpol.md
+++ b//tk-dotnet-refactoring/latest/userguide/security-iam-awsmanpol.md
@@ -5 +5 @@
-AWS managed policy: AWSRefactoringToolkitFullAccessAWSRefactoringToolkitSidecarPolicyPolicy updates
+AWSRefactoringToolkitFullAccessAWSRefactoringToolkitSidecarPolicyPolicy updates
@@ -18,0 +19,2 @@ Use this policy to test your application on AWS when you modernize your applicat
+To view the permissions for this policy, see [AWSRefactoringToolkitFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRefactoringToolkitFullAccess.html) in the _AWS Managed Policy Reference_.
+
@@ -43 +45 @@ This policy includes permissions for the following services:
-  * Amazon EC2 Systems Manager (SSM) – Allows Toolkit for .NET Refactoring to manage SSM parameters and communicate with Amazon ECS tasks.
+  * AWS Systems Manager (Systems Manager) – Allows Toolkit for .NET Refactoring to manage Systems Manager parameters and communicate with Amazon ECS tasks.
@@ -48,2 +49,0 @@ This policy includes permissions for the following services:
-To view the permissions for this policy, see [AWSRefactoringToolkitFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRefactoringToolkitFullAccess.html) in the _AWS Managed Policy Reference_.
-
@@ -62,7 +62,8 @@ Change | Description | Date
-Updated `AWSRefactoringToolkitFullAccess` managed policy |  Added permissions for the `cloudformation:TagResource` and `cloudformation:UntagResource` actions to manage resource tags on stacks created for AWS App2Container. For more information, see AWS managed policy: AWSRefactoringToolkitFullAccess. | March 25, 2024  
-Updated `AWSRefactoringToolkitFullAccess` managed policy |  Added permissions for `application-transformation` actions and KMS permissions for resources matching `ForAnyValue:StringLike` with `"kms:ResourceAliases": "alias/application-transformation*"`. Changed permissions for EC2, ECR, ECS, and CloudWatch Logs to scope them to the `application-transformation` request and resource tag. For more information, see AWS managed policy: AWSRefactoringToolkitFullAccess. | November 18, 2023  
-Updated `AWSRefactoringToolkitFullAccess` managed policy |  Added `ListStacks` permissions. For more information, see AWS managed policy: AWSRefactoringToolkitFullAccess. | March 22, 2023  
-Updated `AWSRefactoringToolkitFullAccess` managed policy |  Added tagging permissions that allow new accounts to perform the `CreateLogGroup` action.  For more information, see AWS managed policy: AWSRefactoringToolkitFullAccess. | December 15, 2022  
-Updated `AWSRefactoringToolkitSidecarPolicy` managed policy |  Added permissions to open a data channel to transfer files to the customer's container. For more information, see AWS managed policy: AWSRefactoringToolkitSidecarPolicy. | October 29, 2022  
-New policy – `AWSRefactoringToolkitFullAccess` |  Added `AWSRefactoringToolkitFullAccess` to AWS managed policies. For more information, see AWS managed policy: AWSRefactoringToolkitFullAccess. | October 25, 2022  
-New policy – `AWSRefactoringToolkitSidecarPolicy` |  Added `AWSRefactoringToolkitSidecarPolicy` to AWS managed policies. For more information, see AWS managed policy: AWSRefactoringToolkitSidecarPolicy. | October 25, 2022  
+AWSRefactoringToolkitFullAccess – Updated policy | Modified the permissions for `CreateTags` by adding conditions that use the `aws:CallVia` condition key. | April 9, 2025  
+AWSRefactoringToolkitFullAccess – Updated policy |  Added permissions for the `cloudformation:TagResource` and `cloudformation:UntagResource` actions to manage resource tags on stacks created for AWS App2Container. | March 25, 2024  
+AWSRefactoringToolkitFullAccess – Updated policy |  Added permissions for `application-transformation` actions and KMS permissions for resources matching `ForAnyValue:StringLike` with `"kms:ResourceAliases": "alias/application-transformation*"`. Changed permissions for EC2, ECR, ECS, and CloudWatch Logs to scope them to the `application-transformation` request and resource tag. | November 18, 2023  
+AWSRefactoringToolkitFullAccess – Updated policy |  Added `ListStacks` permissions. | March 22, 2023  
+AWSRefactoringToolkitFullAccess – Updated policy |  Added tagging permissions that allow new accounts to perform the `CreateLogGroup` action.  | December 15, 2022  
+AWSRefactoringToolkitSidecarPolicy – Updated policy | Added permissions to open a data channel to transfer files to the customer's container. | October 29, 2022  
+AWSRefactoringToolkitFullAccess – New policy |  Added the `AWSRefactoringToolkitFullAccess` policy. | October 25, 2022  
+AWSRefactoringToolkitSidecarPolicy – New policy | Added the `AWSRefactoringToolkitSidecarPolicy` policy. | October 25, 2022