AWS amazonq medium security documentation change
Summary
Expanded IAM policy resource ARNs to include both application and index resources
Security assessment
The change corrects IAM policy resource definitions to explicitly include both application and index ARNs. This prevents potential permission gaps where actions might have been allowed on unintended resources, improving the principle of least privilege.
Diff
diff --git a/amazonq/latest/qbusiness-ug/iam-roles-ds.md b/amazonq/latest/qbusiness-ug/iam-roles-ds.md index 60d4db463..68349d76f 100644 --- a//amazonq/latest/qbusiness-ug/iam-roles-ds.md +++ b//amazonq/latest/qbusiness-ug/iam-roles-ds.md @@ -51 +51,3 @@ This policy assumes your data source doesn't use any authentication. - "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" + "Resource": [ + "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", + "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}"] @@ -298 +300,3 @@ When you use an Amazon S3 bucket as a data source, you must provide a role that - "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" + "Resource": [ + "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", + "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}"] @@ -383 +387,3 @@ When you use an Amazon S3 bucket as a data source, you must provide a role that - "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}" + "Resource": [ + "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}", + "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}"]