AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-25 · Documentation medium

File: waf/latest/developerguide/nsd-iam.md

Summary

Restructured IAM documentation for AWS Shield network security director, adding details about identity-based policies and service-linked roles while removing specific managed policy references

Security assessment

The changes enhance IAM documentation by emphasizing security best practices like using service-linked roles and identity-based policies, but there's no evidence of addressing a specific vulnerability. The updates improve clarity around access control mechanisms without indicating remediation of a security incident.

Diff

diff --git a/waf/latest/developerguide/nsd-iam.md b/waf/latest/developerguide/nsd-iam.md
index 57ed54ab4..85cccec2c 100644
--- a//waf/latest/developerguide/nsd-iam.md
+++ b//waf/latest/developerguide/nsd-iam.md
@@ -5 +5 @@
-IAM managed policiesIAM identity-based policies for network security directorAWS managed policies for network security director
+How AWS Shield network security director works with IAM
@@ -19 +19 @@ AWS Identity and Access Management (IAM) is an AWS service that helps an adminis
-Review the guidance in this section to understand how to use policies and roles for AWS Shield network security director.
+Review the guidance in this section to understand how to use supported policies and roles for AWS Shield network security director.
@@ -21 +21 @@ Review the guidance in this section to understand how to use policies and roles
-###### IAM identity-based policies
+## How AWS Shield network security director works with IAM
@@ -23 +23 @@ Review the guidance in this section to understand how to use policies and roles
-Don't alter the permissions created by network security director. Doing so could interfere with the service's ability to retrieve information about your AWS resources and identify security findings.
+This section explains how to use the features of IAM with AWS Shield network security director.
@@ -25 +25 @@ Don't alter the permissions created by network security director. Doing so could
-## IAM managed policies
+Before you use IAM to manage access to network security director, learn what IAM features are available to use with network security director.
@@ -27 +27,4 @@ Don't alter the permissions created by network security director. Doing so could
-The following managed policies are used by network security director to retrieve information that enables it to create a comprehensive picture of the network connectivity between your AWS services.
+IAM features you can use with AWS Shield network security director IAM feature | AWS Shield network security director support  
+---|---  
+Identity-based policies |  Yes  
+[Service-linked roles](./security_iam_nsd-with-iam-roles-service-linked.html) |  Yes  
@@ -29 +32 @@ The following managed policies are used by network security director to retrieve
-  * **NetworkSecurityDirectorAdminPolicy** – Allows for invoking all network security director API endpoints as well as creating service linked roles for network security director.
+To get a high-level view of how network security director and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the _IAM User Guide_.
@@ -31 +34 @@ The following managed policies are used by network security director to retrieve
-  * **NetworkSecurityDirectorReadOnlyPolicy** – Provides read-only access to network security director API endpoints.
+### Identity-based policies for network security director
@@ -32,0 +36 @@ The following managed policies are used by network security director to retrieve
+**Supports identity-based policies:** Yes
@@ -34,3 +38 @@ The following managed policies are used by network security director to retrieve
-
-
-## IAM identity-based policies for network security director
+Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _IAM User Guide_.
@@ -40,5 +42 @@ With IAM identity-based policies, you can specify allowed or denied actions and
-## AWS managed policies for network security director
-
-An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
-
-Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
+To view examples of AWS Shield network security director identity-based policies, see [Identity-based policy examples for AWS Shield network security director](./security-nsd-with-iam-id-based-policies.html).
@@ -46 +44 @@ Keep in mind that AWS managed policies might not grant least-privilege permissio
-You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
+### Service-linked roles for network security director
@@ -48 +46 @@ You cannot change the permissions defined in AWS managed policies. If AWS update
-For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the _IAM User Guide_.
+**Supports service-linked roles:** Yes
@@ -50 +48 @@ For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM
-### AWS Shield network security director updates to AWS managed policies
+A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. 
@@ -52,4 +50 @@ For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM
-Change | Description | Date  
----|---|---  
-[AWSServiceRoleForNetworkSecurityDirector](./nsd-security-SLR.html) – New policy | Added new service-linked role policy to enable AWS Shield network security director to access AWS resources for security analysis | 2025-06-17  
-AWS Shield network security director started tracking changes | AWS Shield network security director started tracking changes for its AWS managed policies | 2025-06-17  
+For details about creating or managing network security director service-linked roles, see [Using service-linked roles for AWS Shield network security director](./security_iam_nsd-with-iam-roles-service-linked.html).
@@ -65 +60 @@ Security
-Service-linked roles
+Identity-based policy examples