AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-05-13 · Documentation low

File: IAM/latest/UserGuide/security-iam-awsmanpol.md

Summary

Replaced inline JSON policy for AccessAnalyzerServiceRolePolicy with external link and noted permission addition

Security assessment

Simplifies policy documentation while highlighting new iam:GetAccountAuthorizationDetails permission for security analysis capabilities. No evidence of addressing a vulnerability.

Diff

diff --git a/IAM/latest/UserGuide/security-iam-awsmanpol.md b/IAM/latest/UserGuide/security-iam-awsmanpol.md
index f682bc3c1..84a286ad1 100644
--- a//IAM/latest/UserGuide/security-iam-awsmanpol.md
+++ b//IAM/latest/UserGuide/security-iam-awsmanpol.md
@@ -174,107 +174 @@ This policy allows access to IAM Access Analyzer to analyze resource metadata fr
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "AccessAnalyzerServiceRolePolicy",
-          "Effect": "Allow",
-          "Action": [
-            "dynamodb:GetResourcePolicy",
-            "dynamodb:ListStreams",
-            "dynamodb:ListTables",
-            "ec2:DescribeAddresses",
-            "ec2:DescribeByoipCidrs",
-            "ec2:DescribeSnapshotAttribute",
-            "ec2:DescribeSnapshots",
-            "ec2:DescribeVpcEndpoints",
-            "ec2:DescribeVpcs",
-            "ec2:GetSnapshotBlockPublicAccessState",
-            "ecr:DescribeRepositories",
-            "ecr:GetAccountSetting",
-            "ecr:GetRegistryPolicy",
-            "ecr:GetRepositoryPolicy",
-            "elasticfilesystem:DescribeFileSystemPolicy",
-            "elasticfilesystem:DescribeFileSystems",
-            "iam:GetRole",
-            "iam:ListEntitiesForPolicy",
-            "iam:ListRoles",
-            "iam:ListUsers",
-            "iam:ListRoleTags",
-            "iam:ListUserTags",
-            "iam:GetUser",
-            "iam:GetGroup",
-            "iam:GenerateServiceLastAccessedDetails",
-            "iam:GetServiceLastAccessedDetails",
-            "iam:ListAccessKeys",
-            "iam:GetLoginProfile",
-            "iam:GetAccessKeyLastUsed",
-            "iam:ListRolePolicies",
-            "iam:GetRolePolicy",
-            "iam:ListAttachedRolePolicies",
-            "iam:ListUserPolicies",
-            "iam:GetUserPolicy",
-            "iam:ListAttachedUserPolicies",
-            "iam:GetPolicy",
-            "iam:GetPolicyVersion",
-            "iam:ListGroupsForUser",
-            "kms:DescribeKey",
-            "kms:GetKeyPolicy",
-            "kms:ListGrants",
-            "kms:ListKeyPolicies",
-            "kms:ListKeys",
-            "lambda:GetFunctionUrlConfig",
-            "lambda:GetLayerVersionPolicy",
-            "lambda:GetPolicy",
-            "lambda:ListAliases",
-            "lambda:ListFunctions",
-            "lambda:ListLayers",
-            "lambda:ListLayerVersions",
-            "lambda:ListVersionsByFunction",
-            "organizations:DescribeAccount",
-            "organizations:DescribeOrganization",
-            "organizations:DescribeOrganizationalUnit",
-            "organizations:ListAccounts",
-            "organizations:ListAccountsForParent",
-            "organizations:ListAWSServiceAccessForOrganization",
-            "organizations:ListChildren",
-            "organizations:ListDelegatedAdministrators",
-            "organizations:ListOrganizationalUnitsForParent",
-            "organizations:ListParents",
-            "organizations:ListRoots",
-            "rds:DescribeDBClusterSnapshotAttributes",
-            "rds:DescribeDBClusterSnapshots",
-            "rds:DescribeDBSnapshotAttributes",
-            "rds:DescribeDBSnapshots",
-            "s3:DescribeMultiRegionAccessPointOperation",
-            "s3:GetAccessPoint",
-            "s3:GetAccessPointPolicy",
-            "s3:GetAccessPointPolicyStatus",
-            "s3:GetAccountPublicAccessBlock",
-            "s3:GetBucketAcl",
-            "s3:GetBucketLocation",
-            "s3:GetBucketPolicyStatus",
-            "s3:GetBucketPolicy",
-            "s3:GetBucketPublicAccessBlock",
-            "s3:GetMultiRegionAccessPoint",
-            "s3:GetMultiRegionAccessPointPolicy",
-            "s3:GetMultiRegionAccessPointPolicyStatus",
-            "s3:ListAccessPoints",
-            "s3:ListAllMyBuckets",
-            "s3:ListMultiRegionAccessPoints",
-            "s3express:GetAccessPoint",
-            "s3express:GetAccessPointPolicy",
-            "s3express:GetBucketPolicy",
-            "s3express:ListAllMyDirectoryBuckets",
-            "s3express:ListAccessPointsForDirectoryBuckets",
-            "sns:GetTopicAttributes",
-            "sns:ListTopics",
-            "secretsmanager:DescribeSecret",
-            "secretsmanager:GetResourcePolicy",
-            "secretsmanager:ListSecrets",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "Resource": "*"
-        }
-      ]
-    }
+To view the JSON policy, see [AccessAnalyzerServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AccessAnalyzerServiceRolePolicy.html) in the AWS Managed Policy Reference Guide.
@@ -572,0 +467 @@ Change | Description | Date
+[AccessAnalyzerServiceRolePolicy](https://console.aws.amazon.com/iam/home#policies/AccessAnalyzerServiceRolePolicy) – Added permissions | IAM Access Analyzer added `iam:GetAccountAuthorizationDetails` to the service-level permissions of `AccessAnalyzerServiceRolePolicy`. | May 12, 2025