AWS Security ChangesHomeSearch

AWS datazone high security documentation change

Service: datazone · 2025-05-25 · Security-related high

File: datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md

Summary

Added new RAM permission policy statement with specific condition constraints

Security assessment

Introduces granular permissions for resource share association with explicit permission ARN constraints. This security documentation change directly impacts access control by scoping RAM permissions, addressing potential over-permissioning risks.

Diff

diff --git a/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md b/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md
index cf6726bb0..c97f68132 100644
--- a//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md
+++ b//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md
@@ -169,0 +170,16 @@ This policy includes the following permissions:
+    		{
+    			"Sid": "RamAssociateResourceSharePermissionStatement",
+    			"Effect": "Allow",
+    			"Action": "ram:AssociateResourceSharePermission",
+    			"Resource": "*",
+    			"Condition": {
+    				"StringEquals": {
+    					"ram:PermissionArn": [
+    						"arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAmazonDataZoneDomain",
+    						"arn:aws:ram::aws:permission/AWSRAMPermissionAmazonDataZoneDomainFullAccessWithPortalAccess",
+    						"arn:aws:ram::aws:permission/AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceAccess",
+    						"arn:aws:ram::aws:permission/AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceWithPortalAccess"
+    					]
+    				}
+    			}
+    		},