AWS directoryservice high security documentation change
Summary
Updated IAM policy examples to use specific resource ARNs instead of wildcards, added tag-based conditions for access control, refined permissions, and added explicit deny policies for sensitive tags
Security assessment
Multiple changes enforce security best practices: 1) Replaced wildcard resources with specific ARNs to implement least-privilege access 2) Added mandatory tag requirements for directory creation 3) Introduced explicit deny policies for operations involving 'Production', 'Security', and 'Confidential' tags 4) Removed broad EC2 permissions and wildcard actions 5) Added resource-specific conditions for update/delete operations. These changes directly address potential over-permission issues and provide concrete security controls.
Diff
diff --git a/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.md b/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.md index 57a372cac..5380efdd9 100644 --- a//directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.md +++ b//directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.md @@ -9 +9 @@ Permissions required to use the AWS Directory Service consoleAWS managed (predef -This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (users, groups, and roles). +This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (users, groups, and roles). These examples demonstrate IAM policies in AWS Directory Service. You should modify and create your own policies to suit your needs and environment. @@ -67 +67 @@ The following shows an example of a permissions policy. - "Resource": "*", + "Resource": "arn:aws:iam::111122223333:role/Your-Role-Name", @@ -77 +77 @@ The following shows an example of a permissions policy. -The three statements in the policy grants permissions as follows: +The three statements in the policy grant permissions as follows: @@ -83 +83 @@ The three statements in the policy grants permissions as follows: - * The third statement grants permissions to a specific set of resources in Amazon EC2 that are necessary to allow AWS Directory Service to create, configure, and destroy its directories. The wildcard character (*) at the end of the `Resource` value means that the statement allows permission for the EC2 actions on any EC2 resource or subresource. To limit this permission to a specific role, replace the wildcard character (*) in the resource ARN with the specific resource or subresource. For more information, see [Amazon EC2 Actions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html). + * The third statement grants permissions to a specific set of resources in Amazon EC2 that are necessary to allow AWS Directory Service to create, configure, and destroy its directories. Replace the role ARN with your role. For more information, see [Amazon EC2 Actions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html). @@ -88 +88 @@ The three statements in the policy grants permissions as follows: -You don't see a `Principal` element in the policy, because in an identity-based policy you don't specify the principal who gets the permission. When you attach the policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions +You don't see a `Principal` element in the policy, because in an identity-based policy you don't specify the principal who gets the permission. When you attach the policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions. @@ -121 +121 @@ All examples use the US West (Oregon) Region (`us-west-2`) and contain fictitiou -The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe`. These actions show information about an AWS Directory Service resource, such as a directory or snapshot. Note that the wildcard character (*) in the `Resource` element indicates that the actions are allowed for all AWS Directory Service resources owned by the account. +The following permissions policy grants permissions to a user to run all of the actions that begin with `Describe` in an AWS Managed Microsoft AD with the directory ID `d-1234567890` in the AWS account `111122223333`. These actions show information about an AWS Directory Service resource, such as a directory or snapshot. Make sure to change the AWS Region and account number to the region you want to use and your account number. @@ -130 +130 @@ The following permissions policy grants permissions to a user to run all of the - "Resource":"*" + "Resource": "arn:aws:ds:us-west-2:111122223333:directory/d-1234567890" @@ -146 +145,0 @@ The following permissions policy grants permissions to allow a user to create a - "ds:Create*", @@ -157 +156,2 @@ The following permissions policy grants permissions to allow a user to create a - "ec2:RevokeSecurityGroupIngress" + "ec2:RevokeSecurityGroupIngress", + "ec2:CreateTags" @@ -160 +160,8 @@ The following permissions policy grants permissions to allow a user to create a - ] + }, + { + "Effect": "Allow", + "Action": [ + "ds:CreateDirectory", + "ds:DescribeDirectories" + ], + "Resource": "arn:aws:ds:*:111122223333:*" @@ -184 +192,10 @@ The condition context keys and values in an IAM policy apply only to those AWS D -The following tag policy example allows all `ds` calls as long as it contains the tag key-value pair "`fooKey`":"`fooValue`". +The following tag policy allows creating an AWS Directory Service directory as long as the following tags are used: + + * Environment: Production + + * Owner: Infrastructure Team + + * Cost center: 1234 + + + @@ -191 +207,0 @@ The following tag policy example allows all `ds` calls as long as it contains th - "Sid":"VisualEditor0", @@ -194 +210 @@ The following tag policy example allows all `ds` calls as long as it contains th - "ds:*" + "ds:CreateDirectory" @@ -199 +215,3 @@ The following tag policy example allows all `ds` calls as long as it contains th - "aws:ResourceTag/fooKey":"fooValue" + "aws:RequestTag/Environment": "Production", + "aws:RequestTag/Owner": "Infrastructure-Team", + "aws:RequestTag/CostCenter": "12345" @@ -202,7 +219,0 @@ The following tag policy example allows all `ds` calls as long as it contains th - }, - { - "Effect":"Allow", - "Action":[ - "ec2:*" - ], - "Resource":"*" @@ -213 +224,10 @@ The following tag policy example allows all `ds` calls as long as it contains th -The following resource policy example allows all `ds` calls as long as the resource contains the directory ID "`d-1234567890`". +The following tag policy allows updating and deleting AWS Directory Service directories as long as the following tags are used: + + * Project: Atlas + + * Department: Engineering + + * Environment: Staging + + + @@ -220 +239,0 @@ The following resource policy example allows all `ds` calls as long as the resou - "Sid":"VisualEditor0", @@ -223 +242,2 @@ The following resource policy example allows all `ds` calls as long as the resou - "ds:*" + "ds:DeleteDirectory", + "ds:UpdateDirectory" @@ -225,2 +245,24 @@ The following resource policy example allows all `ds` calls as long as the resou - "Resource":"arn:aws:ds:us-east-1:123456789012:directory/d-1234567890" - }, + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Project": "Atlas", + "aws:ResourceTag/Department": "Engineering", + "aws:ResourceTag/Environment": "Staging" + } + } + } + ] + } + +The following tag policy denies resource tagging for AWS Directory Service where the resource has one of the following tags: + + * Production + + * Security + + * Confidential + + + + + @@ -228 +270,4 @@ The following resource policy example allows all `ds` calls as long as the resou - "Effect":"Allow", + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", @@ -230 +275 @@ The following resource policy example allows all `ds` calls as long as the resou - "ec2:*" + "ds:AddTagsToResource" @@ -232 +277,6 @@ The following resource policy example allows all `ds` calls as long as the resou - "Resource":"*" + "Resource": "*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:TagKeys": ["Production", "Security", "Confidential"] + } + }