AWS vpn medium security documentation change
Summary
Updated service-linked role trust to only s2svpn.amazonaws.com, removed AWS Certificate Manager and Private CA references, added details about certificate management and Secrets Manager integration
Security assessment
Narrowing trusted services to only s2svpn.amazonaws.com reduces potential attack surface by eliminating unnecessary service trusts. Added documentation about Secrets Manager integration for PSK storage demonstrates enhanced security practices.
Diff
diff --git a/vpn/latest/s2svpn/using-service-linked-roles.md b/vpn/latest/s2svpn/using-service-linked-roles.md index a83a0edd7..d710485a3 100644 --- a//vpn/latest/s2svpn/using-service-linked-roles.md +++ b//vpn/latest/s2svpn/using-service-linked-roles.md @@ -19 +19 @@ Site-to-Site VPN uses the service-linked role named **AWSServiceRoleForVPCS2SVPN -The AWSServiceRoleForVPCS2SVPN service-linked role trusts the following services to assume the role: +The AWSServiceRoleForVPCS2SVPN service-linked role trusts the following service to assume the role: @@ -21 +21 @@ The AWSServiceRoleForVPCS2SVPN service-linked role trusts the following services - * `AWS Certificate Manager` + * `s2svpn.amazonaws.com` @@ -23 +22,0 @@ The AWSServiceRoleForVPCS2SVPN service-linked role trusts the following services - * `AWS Private Certificate Authority` @@ -26,0 +26 @@ The AWSServiceRoleForVPCS2SVPN service-linked role trusts the following services +This service-linked role uses the managed policy AWSVPCS2SVpnServiceRolePolicy to complete the following actions on the specified resources: @@ -28 +28,10 @@ The AWSServiceRoleForVPCS2SVPN service-linked role trusts the following services -This service-linked role uses the managed policy AWSVPCS2SVpnServiceRolePolicy. To view the permissions for this policy, see [AWSVPCS2SVpnServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSVPCS2SVpnServiceRolePolicy.html) in the _AWS Managed Policy Reference_. + * When using certificate authentication for your VPN connection, AWS Site-to-Site VPN exports the VPN tunnel AWS Certificate Manager certificates for use on the VPN tunnel endpoints. + + * When using certificate authentication for your VPN connection, AWS Site-to-Site VPN manages the renewal of the VPN tunnel AWS Certificate Manager certificates. + + * When using SecretsManager pre-shared key storage for your VPN connection, AWS Site-to-Site VPN manages the VPN connection’s AWS Secrets Manager s2svpn managed secret. + + + + +To view the permissions for this policy, see [AWSVPCS2SVpnServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSVPCS2SVpnServiceRolePolicy.html) in the _AWS Managed Policy Reference_. @@ -62 +71 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Troubleshooting +AWS managed policies