AWS code-library high security documentation change
Summary
Updated example from creating to updating a static policy with more restrictive permissions (action limited to 'view') and removed examples demonstrating overly permissive access and template-linked policies
Security assessment
Removal of Example 2 prevents users from creating policies granting public resource access, addressing insecure configurations. The updated policy example enforces action-specific permissions, improving least-privilege documentation.
Diff
diff --git a/code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md b/code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md index d43349a64..68fdd0eb5 100644 --- a//code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md +++ b//code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md @@ -1024 +1024 @@ The following code example shows how to use `update-policy`. -**Example 1: To create a static policy** +**To update a static policy** @@ -1026 +1026 @@ The following code example shows how to use `update-policy`. -The following `create-policy` example creates a static policy with a policy scope that specifies both a principal and a resource. +The following `update-policy` example modifies an existing static policy by updating its description and statement. @@ -1029,2 +1029,3 @@ The following `create-policy` example creates a static policy with a policy scop - aws verifiedpermissions create-policy \ - --definition file://definition.txt \ + aws verifiedpermissions update-policy \ + --policy-id SPEXAMPLEabcdefg111111 \ + --definition file://updated-definition.txt \ @@ -1036 +1037 @@ The `statement` parameter takes a string representation of a JSON object. It con -Example strings can be displayed wrapped across multiple lines here for readability, but the operation requires the parameters be submitted as single line strings. +You can display example strings wrapped across multiple lines for readability, but the operation requires the parameters to be submitted as single-line strings. @@ -1038 +1039 @@ Example strings can be displayed wrapped across multiple lines here for readabil -Contents of file `definition.txt`: +Contents of file `updated-definition.txt`: @@ -1043,2 +1044,2 @@ Contents of file `definition.txt`: - "description": "Grant everyone of janeFriends UserGroup access to the vacationFolder Album", - "statement": "permit(principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );" + "description": "Updated policy to grant janeFriends UserGroup access to the vacationFolder Album with view action only", + "statement": "permit(principal in UserGroup::\"janeFriends\", action == Action::\"view\", resource in Album::\"vacationFolder\" );" @@ -1067,77 +1067,0 @@ Output: -**Example 2: To create a static policy that grants access to a resource to everyone** - -The following `create-policy` example creates a static policy with a policy scope that specifies only a resource. - - - aws verifiedpermissions create-policy \ - --definition file://definition2.txt \ - --policy-store-id PSEXAMPLEabcdefg111111 - - -Contents of file `definition2.txt`: - - - { - "static": { - "description": "Grant everyone access to the publicFolder Album", - "statement": "permit(principal, action, resource in Album::\"publicFolder\");" - } - } - -Output: - - - { - "createdDate": "2023-06-12T20:39:44.975897+00:00", - "lastUpdatedDate": "2023-06-12T20:39:44.975897+00:00", - "policyId": "PbfR73F8oh5MMfr9uRtFDB", - "policyStoreId": "PSEXAMPLEabcdefg222222", - "policyType": "STATIC", - "resource": { - "entityId": "publicFolder", - "entityType": "Album" - } - } - -**Example 3: To create a template-linked policy that is associated with the specified template** - -The following `create-policy` example creates a template-linked policy using the specified policy template and associates the specified principal to use with the new template-linked policy. - - - aws verifiedpermissions create-policy \ - --definition file://definition2.txt \ - --policy-store-id PSEXAMPLEabcdefg111111 - - -Contents of definition3.txt: - - - { - "templateLinked": { - "policyTemplateId": "PTEXAMPLEabcdefg111111", - "principal": { - "entityType": "User", - "entityId": "alice" - } - } - } - -Output: - - - { - "createdDate": "2023-06-12T20:49:51.490211+00:00", - "lastUpdatedDate": "2023-06-12T20:49:51.490211+00:00", - "policyId": "TPEXAMPLEabcdefg111111", - "policyStoreId": "PSEXAMPLEabcdefg111111", - "policyType": "TEMPLATE_LINKED", - "principal": { - "entityId": "alice", - "entityType": "User" - }, - "resource": { - "entityId": "VacationPhoto94.jpg", - "entityType": "Photo" - } - } -