AWS IAM documentation change
Summary
Replaced inline JSON policy for AccessAnalyzerServiceRolePolicy with external link and noted permission addition
Security assessment
Simplifies policy documentation while highlighting new iam:GetAccountAuthorizationDetails permission for security analysis capabilities. No evidence of addressing a vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/security-iam-awsmanpol.md b/IAM/latest/UserGuide/security-iam-awsmanpol.md index f682bc3c1..84a286ad1 100644 --- a//IAM/latest/UserGuide/security-iam-awsmanpol.md +++ b//IAM/latest/UserGuide/security-iam-awsmanpol.md @@ -174,107 +174 @@ This policy allows access to IAM Access Analyzer to analyze resource metadata fr - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AccessAnalyzerServiceRolePolicy", - "Effect": "Allow", - "Action": [ - "dynamodb:GetResourcePolicy", - "dynamodb:ListStreams", - "dynamodb:ListTables", - "ec2:DescribeAddresses", - "ec2:DescribeByoipCidrs", - "ec2:DescribeSnapshotAttribute", - "ec2:DescribeSnapshots", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:GetSnapshotBlockPublicAccessState", - "ecr:DescribeRepositories", - "ecr:GetAccountSetting", - "ecr:GetRegistryPolicy", - "ecr:GetRepositoryPolicy", - "elasticfilesystem:DescribeFileSystemPolicy", - "elasticfilesystem:DescribeFileSystems", - "iam:GetRole", - "iam:ListEntitiesForPolicy", - "iam:ListRoles", - "iam:ListUsers", - "iam:ListRoleTags", - "iam:ListUserTags", - "iam:GetUser", - "iam:GetGroup", - "iam:GenerateServiceLastAccessedDetails", - "iam:GetServiceLastAccessedDetails", - "iam:ListAccessKeys", - "iam:GetLoginProfile", - "iam:GetAccessKeyLastUsed", - "iam:ListRolePolicies", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListUserPolicies", - "iam:GetUserPolicy", - "iam:ListAttachedUserPolicies", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:ListGroupsForUser", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:ListGrants", - "kms:ListKeyPolicies", - "kms:ListKeys", - "lambda:GetFunctionUrlConfig", - "lambda:GetLayerVersionPolicy", - "lambda:GetPolicy", - "lambda:ListAliases", - "lambda:ListFunctions", - "lambda:ListLayers", - "lambda:ListLayerVersions", - "lambda:ListVersionsByFunction", - "organizations:DescribeAccount", - "organizations:DescribeOrganization", - "organizations:DescribeOrganizationalUnit", - "organizations:ListAccounts", - "organizations:ListAccountsForParent", - "organizations:ListAWSServiceAccessForOrganization", - "organizations:ListChildren", - "organizations:ListDelegatedAdministrators", - "organizations:ListOrganizationalUnitsForParent", - "organizations:ListParents", - "organizations:ListRoots", - "rds:DescribeDBClusterSnapshotAttributes", - "rds:DescribeDBClusterSnapshots", - "rds:DescribeDBSnapshotAttributes", - "rds:DescribeDBSnapshots", - "s3:DescribeMultiRegionAccessPointOperation", - "s3:GetAccessPoint", - "s3:GetAccessPointPolicy", - "s3:GetAccessPointPolicyStatus", - "s3:GetAccountPublicAccessBlock", - "s3:GetBucketAcl", - "s3:GetBucketLocation", - "s3:GetBucketPolicyStatus", - "s3:GetBucketPolicy", - "s3:GetBucketPublicAccessBlock", - "s3:GetMultiRegionAccessPoint", - "s3:GetMultiRegionAccessPointPolicy", - "s3:GetMultiRegionAccessPointPolicyStatus", - "s3:ListAccessPoints", - "s3:ListAllMyBuckets", - "s3:ListMultiRegionAccessPoints", - "s3express:GetAccessPoint", - "s3express:GetAccessPointPolicy", - "s3express:GetBucketPolicy", - "s3express:ListAllMyDirectoryBuckets", - "s3express:ListAccessPointsForDirectoryBuckets", - "sns:GetTopicAttributes", - "sns:ListTopics", - "secretsmanager:DescribeSecret", - "secretsmanager:GetResourcePolicy", - "secretsmanager:ListSecrets", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "Resource": "*" - } - ] - } +To view the JSON policy, see [AccessAnalyzerServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AccessAnalyzerServiceRolePolicy.html) in the AWS Managed Policy Reference Guide. @@ -572,0 +467 @@ Change | Description | Date +[AccessAnalyzerServiceRolePolicy](https://console.aws.amazon.com/iam/home#policies/AccessAnalyzerServiceRolePolicy) – Added permissions | IAM Access Analyzer added `iam:GetAccountAuthorizationDetails` to the service-level permissions of `AccessAnalyzerServiceRolePolicy`. | May 12, 2025