AWS Security ChangesHomeSearch

AWS ebs high security documentation change

Service: ebs · 2025-04-23 · Security-related high

File: ebs/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Added IAM policy examples for restricting snapshot copies based on source ownership and tags, and updated permission scope.

Security assessment

The changes introduce explicit security documentation, including policies to enforce source snapshot ownership and tag-based restrictions. These examples help prevent unauthorized cross-account or untagged snapshot copies, directly addressing security best practices.

Diff

diff --git a/ebs/latest/userguide/security_iam_id-based-policy-examples.md b/ebs/latest/userguide/security_iam_id-based-policy-examples.md
index 593007ad2..2c2ce6d46 100644
--- a//ebs/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//ebs/latest/userguide/security_iam_id-based-policy-examples.md
@@ -686 +686 @@ The following policy allows you to combine multiple actions into a single policy
-Resource-level permissions specified for the _CopySnapshot_ action apply to the new snapshot only. They cannot be specified for the source snapshot.
+Resource-level permissions specified for the **CopySnapshot** action apply to both the new snapshot and the source snapshot.
@@ -707,0 +708,41 @@ The following example policy allows principals to copy snapshots only if the new
+The following example policy allows principals to copy snapshots only if the source snapshot is owned by AWS account `123456789012`.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowCopySnapshotByOwner",
+                "Effect": "Allow",
+                "Action": "ec2:CopySnapshot",
+                "Resource": "arn:aws:ec2:*:account-id:snapshot/*",
+                "Condition": {
+                    "StringEquals": {
+                        "ec2:Owner": "123456789012"
+                    }
+                }
+            }
+        ]
+    }
+
+The following example policy allows principals to copy snapshots only if the source snapshot is created with tag key of `CSISnapshotName`.
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": "ec2:CopySnapshot", 
+        "Resource": "arn:aws:ec2:*::snapshot/${*}",
+        "Condition": { 
+            "StringLike": { 
+                "aws:RequestTag/CSISnapshotName": "*" 
+             } 
+         }
+    },
+    
+    {
+        "Effect": "Allow",
+        "Action": "ec2:CopySnapshot",
+        "Resource": "arn:aws:ec2:*::snapshot/snap-*"
+    }
+    
+