AWS Security ChangesHomeSearch

AWS fsx medium security documentation change

Service: fsx · 2025-05-10 · Security-related medium

File: fsx/latest/ONTAPGuide/using-service-linked-roles.md

Summary

Removed permissions for CloudWatch Logs and Firehose from the service-linked role policy documentation.

Security assessment

The removal of 'logs' and 'firehose' permissions reduces the role's privileges, aligning with the principle of least privilege. This limits potential misuse of audit logging capabilities, which is a security hardening measure. The explicit removal of these permissions indicates a deliberate security-focused adjustment.

Diff

diff --git a/fsx/latest/ONTAPGuide/using-service-linked-roles.md b/fsx/latest/ONTAPGuide/using-service-linked-roles.md
index 18125e11f..0a19036e0 100644
--- a//fsx/latest/ONTAPGuide/using-service-linked-roles.md
+++ b//fsx/latest/ONTAPGuide/using-service-linked-roles.md
@@ -51,4 +50,0 @@ The AWSServiceRoleForAmazonFSx is used by all Amazon FSx file system types; some
-  * `logs` – Allows Amazon FSx to describe and write to CloudWatch Logs log streams. This is so that users can send file access audit logs for an FSx for Windows File Server file system to a CloudWatch Logs stream.
-
-  * `firehose` – Allows Amazon FSx to describe and write to Amazon Data Firehose delivery streams. This is so that users can publish the file access audit logs for an Amazon FSx for Windows File Server file system to an Amazon Data Firehose delivery stream.
-
@@ -152,20 +147,0 @@ The AWSServiceRoleForAmazonFSx is used by all Amazon FSx file system types; some
-            },
-            {
-                "Sid": "PutCloudWatchLogs",
-                "Effect": "Allow",
-                "Action": [                
-                    "logs:DescribeLogGroups",
-                    "logs:DescribeLogStreams",
-                    "logs:PutLogEvents"
-                ],
-                "Resource": "arn:aws:logs:*:*:log-group:/aws/fsx/*"
-            },
-            {
-                "Sid": "ManageAuditLogs",
-                "Effect": "Allow",
-                "Action": [                
-                    "firehose:DescribeDeliveryStream",
-                    "firehose:PutRecord",
-                    "firehose:PutRecordBatch"
-                ],
-                "Resource": "arn:aws:firehose:*:*:deliverystream/aws-fsx-*"