AWS neptune high security documentation change
Summary
Restructured IAM policy requirements to use more specific resource ARNs with account numbers, added service-linked role creation permissions, and reorganized actions/resource permissions with granular conditions
Security assessment
The changes enforce least-privilege permissions by replacing wildcard resources with account-specific ARNs and adding explicit conditions. This addresses potential over-permissioning security risks in IAM policies
Diff
diff --git a/neptune/latest/userguide/get-started-prereqs.md b/neptune/latest/userguide/get-started-prereqs.md index 4ba1c6efb..24e50692c 100644 --- a//neptune/latest/userguide/get-started-prereqs.md +++ b//neptune/latest/userguide/get-started-prereqs.md @@ -38,7 +38,2 @@ Finally, you need to create the following customer-managed policy and add it to - "Action": [ - "rds:CreateDBCluster", - "rds:CreateDBInstance" - ], - "Resource": [ - "arn:aws:rds:*:*:*" - ], + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::0123456789012:role/*", @@ -47 +42 @@ Finally, you need to create the following customer-managed policy and add it to - "rds:DatabaseEngine": ["graphdb","neptune"] + "iam:passedToService": "rds.amazonaws.com" @@ -51,0 +47,11 @@ Finally, you need to create the following customer-managed policy and add it to + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", + "Condition": { + "StringLike": { + "iam:AWSServiceName": "rds.amazonaws.com" + } + } + }, + { + "Effect": "Allow", @@ -53,61 +59,3 @@ Finally, you need to create the following customer-managed policy and add it to - "rds:AddRoleToDBCluster", - "rds:AddSourceIdentifierToSubscription", - "rds:AddTagsToResource", - "rds:ApplyPendingMaintenanceAction", - "rds:CopyDBClusterParameterGroup", - "rds:CopyDBClusterSnapshot", - "rds:CopyDBParameterGroup", - "rds:CreateDBClusterParameterGroup", - "rds:CreateDBClusterSnapshot", - "rds:CreateDBParameterGroup", - "rds:CreateDBSubnetGroup", - "rds:CreateEventSubscription", - "rds:DeleteDBCluster", - "rds:DeleteDBClusterParameterGroup", - "rds:DeleteDBClusterSnapshot", - "rds:DeleteDBInstance", - "rds:DeleteDBParameterGroup", - "rds:DeleteDBSubnetGroup", - "rds:DeleteEventSubscription", - "rds:DescribeAccountAttributes", - "rds:DescribeCertificates", - "rds:DescribeDBClusterParameterGroups", - "rds:DescribeDBClusterParameters", - "rds:DescribeDBClusterSnapshotAttributes", - "rds:DescribeDBClusterSnapshots", - "rds:DescribeDBClusters", - "rds:DescribeDBEngineVersions", - "rds:DescribeDBInstances", - "rds:DescribeDBLogFiles", - "rds:DescribeDBParameterGroups", - "rds:DescribeDBParameters", - "rds:DescribeDBSecurityGroups", - "rds:DescribeDBSubnetGroups", - "rds:DescribeEngineDefaultClusterParameters", - "rds:DescribeEngineDefaultParameters", - "rds:DescribeEventCategories", - "rds:DescribeEventSubscriptions", - "rds:DescribeEvents", - "rds:DescribeOptionGroups", - "rds:DescribeOrderableDBInstanceOptions", - "rds:DescribePendingMaintenanceActions", - "rds:DescribeValidDBInstanceModifications", - "rds:DownloadDBLogFilePortion", - "rds:FailoverDBCluster", - "rds:ListTagsForResource", - "rds:ModifyDBCluster", - "rds:ModifyDBClusterParameterGroup", - "rds:ModifyDBClusterSnapshotAttribute", - "rds:ModifyDBInstance", - "rds:ModifyDBParameterGroup", - "rds:ModifyDBSubnetGroup", - "rds:ModifyEventSubscription", - "rds:PromoteReadReplicaDBCluster", - "rds:RebootDBInstance", - "rds:RemoveRoleFromDBCluster", - "rds:RemoveSourceIdentifierFromSubscription", - "rds:RemoveTagsFromResource", - "rds:ResetDBClusterParameterGroup", - "rds:ResetDBParameterGroup", - "rds:RestoreDBClusterFromSnapshot", - "rds:RestoreDBClusterToPointInTime" + "sns:ListTopics", + "sns:ListSubscriptions", + "sns:Publish" @@ -114,0 +63,3 @@ Finally, you need to create the following customer-managed policy and add it to + "Resource": "arn:aws:sns:*:0123456789012:*" + }, + { @@ -116,3 +67,7 @@ Finally, you need to create the following customer-managed policy and add it to - "Resource": [ - "*" - ] + "Action": [ + "kms:ListRetirableGrants", + "kms:ListKeys", + "kms:ListAliases", + "kms:ListKeyPolicies" + ], + "Resource": "arn:aws:kms:*:0123456789012:key/*" @@ -120,0 +76 @@ Finally, you need to create the following customer-managed policy and add it to + "Effect": "Allow", @@ -123,3 +79,12 @@ Finally, you need to create the following customer-managed policy and add it to - "cloudwatch:ListMetrics", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", + "cloudwatch:ListMetrics" + ], + "Resource": "arn:aws:cloudwatch:*:0123456789012:service/*-*", + "Condition": { + "StringLike": { + "cloudwatch:namespace": "AWS/Neptune" + } + } + }, + { + "Effect": "Allow", + "Action": [ @@ -127,2 +92 @@ Finally, you need to create the following customer-managed policy and add it to - "ec2:DescribeSubnets", - "ec2:DescribeVpcAttribute", + "ec2:DescribeAvailabilityZones", @@ -130,9 +94,3 @@ Finally, you need to create the following customer-managed policy and add it to - "kms:ListAliases", - "kms:ListKeyPolicies", - "kms:ListKeys", - "kms:ListRetirableGrants", - "logs:DescribeLogStreams", - "logs:GetLogEvents", - "sns:ListSubscriptions", - "sns:ListTopics", - "sns:Publish" + "ec2:DescribeAccountAttributes", + "ec2:DescribeSubnets", + "ec2:DescribeVpcAttribute" @@ -140 +97,0 @@ Finally, you need to create the following customer-managed policy and add it to - "Effect": "Allow", @@ -142 +99,3 @@ Finally, you need to create the following customer-managed policy and add it to - "*" + "arn:aws:ec2:*:0123456789012:vpc/*", + "arn:aws:ec2:*:0123456789012:subnet/*", + "arn:aws:ec2:*:0123456789012:security-group/*" @@ -146 +104,0 @@ Finally, you need to create the following customer-managed policy and add it to - "Action": "iam:PassRole", @@ -148 +106,62 @@ Finally, you need to create the following customer-managed policy and add it to - "Resource": "*", + "Action": [ + "rds:CreateDBCluster", + "rds:CreateDBInstance", + "rds:AddTagsToResource", + "rds:ListTagsForResource", + "rds:RemoveTagsFromResource", + "rds:RemoveRoleFromDBCluster", + "rds:ResetDBParameterGroup", + "rds:CreateDBSubnetGroup", + "rds:ModifyDBParameterGroup", + "rds:DownloadDBLogFilePortion", + "rds:CopyDBParameterGroup", + "rds:AddRoleToDBCluster", + "rds:ModifyDBInstance", + "rds:ModifyDBClusterParameterGroup", + "rds:ModifyDBClusterSnapshotAttribute", + "rds:DeleteDBInstance", + "rds:CopyDBClusterParameterGroup", + "rds:CreateDBParameterGroup", + "rds:DescribeDBSecurityGroups", + "rds:DeleteDBSubnetGroup", + "rds:DescribeValidDBInstanceModifications", + "rds:ModifyDBCluster", + "rds:CreateDBClusterSnapshot", + "rds:DeleteDBParameterGroup", + "rds:CreateDBClusterParameterGroup", + "rds:RemoveTagsFromResource", + "rds:PromoteReadReplicaDBCluster", + "rds:RestoreDBClusterFromSnapshot", + "rds:DescribeDBSubnetGroups", + "rds:DescribePendingMaintenanceActions", + "rds:DescribeDBParameterGroups", + "rds:FailoverDBCluster", + "rds:DescribeDBInstances", + "rds:DescribeDBParameters", + "rds:DeleteDBCluster", + "rds:ResetDBClusterParameterGroup", + "rds:RestoreDBClusterToPointInTime", + "rds:DescribeDBClusterSnapshotAttributes", + "rds:AddTagsToResource", + "rds:DescribeDBClusterParameters", + "rds:CopyDBClusterSnapshot", + "rds:DescribeDBLogFiles", + "rds:DeleteDBClusterSnapshot", + "rds:ListTagsForResource",