AWS dms medium security documentation change
Summary
Simplified IAM policy by removing multiple EC2 permissions (DescribeRouteTables, DescribeSecurityGroups, etc.), consolidated trust policy steps, and updated UI references.
Security assessment
The change reduces permissions granted to AWS DMS IAM policies by removing several EC2 actions (e.g., security group and route table management) and VPC peering permissions. This implements the principle of least privilege, reducing potential attack surface. The removal of security-group-related permissions like AuthorizeSecurityGroupEgress directly impacts network security controls.
Diff
diff --git a/dms/latest/userguide/dm-iam-resources.md b/dms/latest/userguide/dm-iam-resources.md index e67f38c0d..f7296ed79 100644 --- a//dms/latest/userguide/dm-iam-resources.md +++ b//dms/latest/userguide/dm-iam-resources.md @@ -22 +22 @@ To run homogeneous data migrations, you must create an IAM policy and an IAM rol -To access your databases and to migrate data, with AWS DMS, you can create a serverless environment for homogeneous data migrations. In this environment, AWS DMS requires access to VPC peering, route tables, security groups, and other AWS resources. Also, AWS DMS stores logs, metrics, and progress for each data migration in Amazon CloudWatch. To create a data migration project, AWS DMS needs access to these services. +To access your databases and to migrate data, with AWS DMS, you can create a serverless environment for homogeneous data migrations. Also, AWS DMS stores logs, metrics, and progress for each data migration in Amazon CloudWatch. To create a data migration project, AWS DMS needs access to these services. @@ -44,6 +44 @@ In this step, you create an IAM policy that provides AWS DMS with access to Amaz - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribePrefixLists", - "logs:DescribeLogGroups" + "ec2:DescribeVpcs" @@ -56,9 +51 @@ In this step, you create an IAM policy that provides AWS DMS with access to Amaz - "servicequotas:GetServiceQuota" - ], - "Resource": "arn:aws:servicequotas:*:*:vpc/L-0EA8095F" - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:DescribeLogStreams" + "logs:CreateLogGroup" @@ -80,52 +66,0 @@ In this step, you create an IAM policy that provides AWS DMS with access to Amaz - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateRoute", - "ec2:DeleteRoute" - ], - "Resource": "arn:aws:ec2:*:*:route-table/*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "arn:aws:ec2:*:*:security-group/*", - "arn:aws:ec2:*:*:security-group-rule/*", - "arn:aws:ec2:*:*:route-table/*", - "arn:aws:ec2:*:*:vpc-peering-connection/*", - "arn:aws:ec2:*:*:vpc/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress" - ], - "Resource": "arn:aws:ec2:*:*:security-group-rule/*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AcceptVpcPeeringConnection", - "ec2:ModifyVpcPeeringConnectionOptions" - ], - "Resource": "arn:aws:ec2:*:*:vpc-peering-connection/*" - }, - { - "Effect": "Allow", - "Action": "ec2:AcceptVpcPeeringConnection", - "Resource": "arn:aws:ec2:*:*:vpc/*" @@ -136 +71 @@ In this step, you create an IAM policy that provides AWS DMS with access to Amaz - 6. Choose **Next: Tags** and **Next: Review.** + 6. Choose **Next**. @@ -138 +73 @@ In this step, you create an IAM policy that provides AWS DMS with access to Amaz - 7. Enter `HomogeneousDataMigrationsPolicy` for **Name*** , and choose **Create policy**. + 7. Enter `HomogeneousDataMigrationsPolicy` for **Policy name** , and choose **Create policy**. @@ -146,0 +82,2 @@ In this step, you create an IAM role that provides AWS DMS with access to AWS Se +When creating an IAM role, you must also create a `dms-vpc-role`. For more information, see [Creating an IAM role for AWS DMS to manage Amazon VPC](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DMS_migration-IAM.dms-vpc-role.html) in the _Amazon Relational Database Service User Guide_. + @@ -159 +96 @@ In this step, you create an IAM role that provides AWS DMS with access to AWS Se - 6. On the **Add permissions** page, choose **HomogeneousDataMigrationsPolicy** that you created before. Also, choose **SecretsManagerReadWrite**. Choose **Next**. + 6. On the **Add permissions** page, choose **HomogeneousDataMigrationsPolicy** that you created before. @@ -163,28 +100 @@ In this step, you create an IAM role that provides AWS DMS with access to AWS Se - 8. On the **Roles** page, enter `HomogeneousDataMigrationsRole` for **Role name**. Choose **HomogeneousDataMigrationsRole**. - - 9. On the **HomogeneousDataMigrationsRole** page, choose the **Trust relationships** tab. Choose **Edit trust policy**. - - 10. On the **Edit trust policy** page, paste the following JSON into the editor, replacing the existing text. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": [ - "dms-data-migrations.amazonaws.com", - "dms.your_region.amazonaws.com" - ] - }, - "Action": "sts:AssumeRole" - } - ] - } - -In the preceding example, replace `your_region` with the name of your AWS Region. - -The preceding resource-based policy provides AWS DMS service principals with permissions to perform tasks according to the AWS managed **SecretsManagerReadWrite** and customer managed **HomogeneousDataMigrationsPolicy** policies. - - 11. Choose **Update policy**. + 8. Choose **Update policy**.