AWS Security ChangesHomeSearch

AWS code-library high security documentation change

Service: code-library · 2025-06-22 · Security-related high

File: code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md

Summary

Updated example from creating to updating a static policy with more restrictive permissions (action limited to 'view') and removed examples demonstrating overly permissive access and template-linked policies

Security assessment

Removal of Example 2 prevents users from creating policies granting public resource access, addressing insecure configurations. The updated policy example enforces action-specific permissions, improving least-privilege documentation.

Diff

diff --git a/code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md b/code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md
index d43349a64..68fdd0eb5 100644
--- a//code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md
+++ b//code-library/latest/ug/cli_2_verifiedpermissions_code_examples.md
@@ -1024 +1024 @@ The following code example shows how to use `update-policy`.
-**Example 1: To create a static policy**
+**To update a static policy**
@@ -1026 +1026 @@ The following code example shows how to use `update-policy`.
-The following `create-policy` example creates a static policy with a policy scope that specifies both a principal and a resource.
+The following `update-policy` example modifies an existing static policy by updating its description and statement.
@@ -1029,2 +1029,3 @@ The following `create-policy` example creates a static policy with a policy scop
-    aws verifiedpermissions create-policy \
-        --definition file://definition.txt \
+    aws verifiedpermissions update-policy \
+        --policy-id SPEXAMPLEabcdefg111111 \
+        --definition file://updated-definition.txt \
@@ -1036 +1037 @@ The `statement` parameter takes a string representation of a JSON object. It con
-Example strings can be displayed wrapped across multiple lines here for readability, but the operation requires the parameters be submitted as single line strings.
+You can display example strings wrapped across multiple lines for readability, but the operation requires the parameters to be submitted as single-line strings.
@@ -1038 +1039 @@ Example strings can be displayed wrapped across multiple lines here for readabil
-Contents of file `definition.txt`:
+Contents of file `updated-definition.txt`:
@@ -1043,2 +1044,2 @@ Contents of file `definition.txt`:
-            "description":  "Grant everyone of janeFriends UserGroup access to the vacationFolder Album",
-            "statement": "permit(principal in UserGroup::\"janeFriends\", action, resource in Album::\"vacationFolder\" );"
+            "description": "Updated policy to grant janeFriends UserGroup access to the vacationFolder Album with view action only",
+            "statement": "permit(principal in UserGroup::\"janeFriends\", action == Action::\"view\", resource in Album::\"vacationFolder\" );"
@@ -1067,77 +1067,0 @@ Output:
-**Example 2: To create a static policy that grants access to a resource to everyone**
-
-The following `create-policy` example creates a static policy with a policy scope that specifies only a resource.
-    
-    
-    aws verifiedpermissions create-policy \
-        --definition file://definition2.txt \
-        --policy-store-id PSEXAMPLEabcdefg111111
-    
-
-Contents of file `definition2.txt`:
-    
-    
-    {
-        "static": {
-            "description":  "Grant everyone access to the publicFolder Album",
-            "statement": "permit(principal, action, resource in Album::\"publicFolder\");"
-        }
-    }
-
-Output:
-    
-    
-    {
-        "createdDate": "2023-06-12T20:39:44.975897+00:00",
-        "lastUpdatedDate": "2023-06-12T20:39:44.975897+00:00",
-        "policyId": "PbfR73F8oh5MMfr9uRtFDB",
-        "policyStoreId": "PSEXAMPLEabcdefg222222",
-        "policyType": "STATIC",
-        "resource": {
-            "entityId": "publicFolder",
-            "entityType": "Album"
-        }
-    }
-
-**Example 3: To create a template-linked policy that is associated with the specified template**
-
-The following `create-policy` example creates a template-linked policy using the specified policy template and associates the specified principal to use with the new template-linked policy.
-    
-    
-    aws verifiedpermissions create-policy \
-        --definition file://definition2.txt \
-        --policy-store-id PSEXAMPLEabcdefg111111
-    
-
-Contents of definition3.txt:
-    
-    
-    {
-        "templateLinked": {
-            "policyTemplateId": "PTEXAMPLEabcdefg111111",
-            "principal": {
-                "entityType": "User",
-                "entityId": "alice"
-            }
-        }
-    }
-
-Output:
-    
-    
-    {
-        "createdDate": "2023-06-12T20:49:51.490211+00:00",
-        "lastUpdatedDate": "2023-06-12T20:49:51.490211+00:00",
-        "policyId": "TPEXAMPLEabcdefg111111",
-        "policyStoreId": "PSEXAMPLEabcdefg111111",
-        "policyType": "TEMPLATE_LINKED",
-        "principal": {
-            "entityId": "alice",
-            "entityType": "User"
-        },
-        "resource": {
-            "entityId": "VacationPhoto94.jpg",
-            "entityType": "Photo"
-        }
-    }
-