AWS transform documentation change
Summary
Added two new IAM policy examples: 1) Allows administrators to manage IAM Identity Center users and assignments for AWS Transform, 2) Allows enabling AWS Transform with required permissions for SSO, KMS, organizations, and service setup
Security assessment
The changes add documentation about security-related IAM policies for user management and service enablement. While these are security-focused permissions, there is no evidence they address a specific security vulnerability - rather they document proper security practices for administrative functions. The policies include sensitive actions like sso:CreateUser, kms:CreateGrant, and iam:CreateServiceLinkedRole which have security implications if misconfigured.
Diff
diff --git a/transform/latest/userguide/security_iam_id-based-policy-examples.md b/transform/latest/userguide/security_iam_id-based-policy-examples.md index bbc61f861..f0a7251ca 100644 --- a//transform/latest/userguide/security_iam_id-based-policy-examples.md +++ b//transform/latest/userguide/security_iam_id-based-policy-examples.md @@ -5 +5 @@ -Policy best practicesUsing the consoleAllow users to view their own permissionsAllow administrators to accept a connector request from the account with AWS Transform +Policy best practicesUsing the consoleAllow users to view their own permissionsAllow administrators to accept a connector request from the account with AWS TransformAllow administrators to assign existing IAM Identity Center users and create new IAM Identity Center users to assign to AWS TransformAllow administrators to enable AWS Transform @@ -24,0 +25,4 @@ For details about actions and resource types defined by AWS Transform, including + * Allow administrators to assign existing IAM Identity Center users and create new IAM Identity Center users to assign to AWS Transform + + * Allow administrators to enable AWS Transform + @@ -135,0 +140,168 @@ This example shows how you might create a policy that allows IAM users to view t +## Allow administrators to assign existing IAM Identity Center users and create new IAM Identity Center users to assign to AWS Transform + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "transform:ListProfiles" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "organizations:ListAWSServiceAccessForOrganization", + "organizations:DescribeOrganization" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "sso:ListApplications", + "sso:ListInstances", + "sso:DescribeRegisteredRegions", + "sso:GetSharedSsoConfiguration", + "sso:DescribeInstance", + "sso:DescribeApplication", + "sso:GetSSOStatus", + "sso:CreateApplicationAssignment", + "sso:DeleteApplicationAssignment", + "sso:ListApplicationAssignments" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "sso-directory:CreateUser", + "sso-directory:DescribeUsers", + "sso-directory:DescribeGroups", + "sso-directory:SearchGroups", + "sso-directory:SearchUsers", + "sso-directory:DescribeGroup", + "sso-directory:DescribeUser", + "sso-directory:DescribeDirectory" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "identitystore:CreateUser", + "identitystore:ListUsers", + "identitystore:ListGroups" + ], + "Resource": [ + "*" + ] + } + ] + } + +## Allow administrators to enable AWS Transform + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sso:ListInstances", + "sso:CreateInstance", + "sso:CreateApplication", + "sso:PutApplicationAuthenticationMethod", + "sso:PutApplicationGrant", + "sso:PutApplicationAssignmentConfiguration", + "sso:ListApplications", + "sso:GetSharedSsoConfiguration", + "sso:DescribeInstance", + "sso:PutApplicationAccessScope", + "sso:DescribeApplication", + "sso:DeleteApplication", + "sso:UpdateApplication", + "sso:DescribeRegisteredRegions", + "sso:GetSSOStatus" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "sso-directory:GetUserPoolInfo", + "sso-directory:DescribeUsers", + "sso-directory:DescribeGroups", + "sso-directory:SearchGroups", + "sso-directory:SearchUsers", + "sso-directory:DescribeDirectory" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "organizations:ListAWSServiceAccessForOrganization", + "organizations:DisableAWSServiceAccess", + "organizations:EnableAWSServiceAccess" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "kms:ListAliases", + "kms:CreateGrant", + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey*", + "kms:RetireGrant", + "kms:DescribeKey" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": [ + "arn:aws:iam::*:role/aws-service-role/transform.amazonaws.com/AWSServiceRoleForAWSTransform" + ] + }, + { + "Effect": "Allow", + "Action": [ + "transform:UpdateProfile", + "transform:ListProfiles", + "transform:CreateProfile", + "transform:DeleteProfile" + ], + "Resource": [ + "*" + ] + } + ] + } +