AWS datazone high security documentation change
Summary
Added new RAM permission policy statement with specific condition constraints
Security assessment
Introduces granular permissions for resource share association with explicit permission ARN constraints. This security documentation change directly impacts access control by scoping RAM permissions, addressing potential over-permissioning risks.
Diff
diff --git a/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md b/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md index cf6726bb0..c97f68132 100644 --- a//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md +++ b//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md @@ -169,0 +170,16 @@ This policy includes the following permissions: + { + "Sid": "RamAssociateResourceSharePermissionStatement", + "Effect": "Allow", + "Action": "ram:AssociateResourceSharePermission", + "Resource": "*", + "Condition": { + "StringEquals": { + "ram:PermissionArn": [ + "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAmazonDataZoneDomain", + "arn:aws:ram::aws:permission/AWSRAMPermissionAmazonDataZoneDomainFullAccessWithPortalAccess", + "arn:aws:ram::aws:permission/AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceAccess", + "arn:aws:ram::aws:permission/AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceWithPortalAccess" + ] + } + } + },