AWS fsx medium security documentation change
Summary
Updated AWS managed policies documentation for FSx, including service-specific clarifications (OpenZFS, Lustre, Windows File Server), added details on audit logging with CloudWatch and Firehose, and updated changelog with new permissions for S3 access points and security group validation.
Security assessment
The changelog entries from January 9, 2024, explicitly add the ec2:GetSecurityGroupsForVpc permission to enable enhanced security group validation. This addresses potential network security misconfigurations by ensuring proper validation of security groups associated with VPCs. Additionally, updates to audit logging documentation clarify security monitoring capabilities, which are security features.
Diff
diff --git a/fsx/latest/FileCacheGuide/security-iam-awsmanpol.md b/fsx/latest/FileCacheGuide/security-iam-awsmanpol.md index c01251f91..ef23449ec 100644 --- a//fsx/latest/FileCacheGuide/security-iam-awsmanpol.md +++ b//fsx/latest/FileCacheGuide/security-iam-awsmanpol.md @@ -7 +7 @@ AmazonFSxServiceRolePolicyAmazonFSxDeleteServiceLinkedRoleAccessAmazonFSxFullAcc -# AWS managed policies for Amazon FSx +# AWS managed policies for Amazon FSx for OpenZFS @@ -17,2 +16,0 @@ For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM -Amazon File Cache caches and Amazon FSx file systems share a common set of AWS managed policies that enable Amazon FSx to take actions on your behalf. - @@ -27 +25 @@ You can't attach `AmazonFSxDeleteServiceLinkedRoleAccess` to your IAM entities. -This policy grants administrative permissions that allow Amazon FSx to delete its Service Linked Role for Amazon S3 access. +This policy grants administrative permissions that allow Amazon FSx to delete its Service Linked Role for Amazon S3 access, used only by Amazon FSx for Lustre. @@ -57 +55 @@ This policy includes the following permissions. - * `logs` – Allows principals to create log groups, log streams, and write events to log streams. + * `firehose` – Allows principals to write records to a Amazon Data Firehose. This is required so that users can monitor FSx for Windows File Server file system access by sending audit access logs to Firehose. @@ -59 +57 @@ This policy includes the following permissions. - * `firehose` – Allows principals to write records to a Amazon Data Firehose. + * `logs` – Allows principals to create log groups, log streams, and write events to log streams. This is required so that users can monitor FSx for Windows File Server file system access by sending audit access logs to CloudWatch Logs. @@ -70 +68 @@ You can attach the `AmazonFSxConsoleFullAccess` policy to your IAM identities. -This policy grants administrative permissions that allow full access to Amazon File Cache and access to related AWS services via the AWS Management Console. +This policy grants administrative permissions that allow full access to Amazon FSx and access to related AWS services via the AWS Management Console. @@ -78 +76 @@ This policy includes the following permissions. - * `cloudwatch` – Allows principals to view CloudWatch Alarms in the Amazon FSx management console. + * `cloudwatch` – Allows principals to view CloudWatch Alarms and metrics in the Amazon FSx management console. @@ -111 +109 @@ This policy includes the following permissions. - * `fsx` – Allows principals to view information about Amazon File Cache caches, including all tags, in the Amazon FSx Management Console. + * `fsx` – Allows principals to view information about Amazon FSx file systems, including all tags, in the Amazon FSx Management Console. @@ -113 +111 @@ This policy includes the following permissions. - * `cloudwatch` – Allows principals to view CloudWatch Alarms in the Amazon FSx Management Console. + * `cloudwatch` – Allows principals to view CloudWatch Alarms and metrics in the Amazon FSx Management Console. @@ -127 +125 @@ This policy includes the following permissions. - * `log` – Allows principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request. + * `log` – Allows principals to describe the Amazon CloudWatch Logs log groups associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system. @@ -129 +127 @@ This policy includes the following permissions. - * `firehose` – Allows principals to describe the Amazon Data Firehose delivery streams associated with the account making the request. + * `firehose` – Allows principals to describe the Amazon Data Firehose delivery streams associated with the account making the request. This is required so that principals can view the existing file access auditing configuration for an FSx for Windows File Server file system. @@ -140,2 +137,0 @@ You can attach the `AmazonFSxReadOnlyAccess` policy to your IAM identities. -This policy includes the following permissions. - @@ -156,0 +153,8 @@ Change | Description | Date +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:CreateAndAttachS3AccessPoint` that allows principals to create an S3 access point and attach it to an FSx volume. | April 14, 2025 +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:DescribeS3AccessPointAttachments` that allows principals to list all S3 access points in an AWS account in an AWS Region | April 14, 2025 +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:UpdateS3AccessPointAttachments` that allows principals to modify an existing S3 access point. | April 14, 2025 +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:DetachAndDeleteS3AccessPoint` that allows principals to delete an S3 access point. | April 14, 2025 +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:CreateAndAttachS3AccessPoint` that allows principals to create an S3 access point and attach it to an FSx volume. | April 14, 2025 +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:DescribeS3AccessPointAttachments` that allows principals to list all S3 access points in an AWS account in an AWS Region | April 14, 2025 +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:UpdateS3AccessPointAttachments` that allows principals to modify an existing S3 access point. | April 14, 2025 +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added a new permission, `fsx:DetachAndDeleteS3AccessPoint` that allows principals to delete an S3 access point. | April 14, 2025 @@ -159,5 +163,5 @@ AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added n -[AmazonFSxServiceRolePolicy](./using-service-linked-roles.html#slr-permissions) – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 09, 2024 -AmazonFSxReadOnlyAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 09, 2024 -AmazonFSxConsoleReadOnlyAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 09, 2024 -AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 09, 2024 -AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 09, 2024 +[AmazonFSxServiceRolePolicy](./using-service-linked-roles.html#slr-permissions) – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 9, 2024 +AmazonFSxReadOnlyAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 9, 2024 +AmazonFSxConsoleReadOnlyAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 9, 2024 +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 9, 2024 +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added new permission, `ec2:GetSecurityGroupsForVpc` that allows principals to provide enhanced security group validation of all security groups that can be used with a VPC. | January 9, 2024 @@ -166,2 +170,2 @@ AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added n -AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added a new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems. | November 26, 2023 -AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added a new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems. | November 26, 2023 +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems. | November 26, 2023 +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added new permission to enable users to perform on-demand replication of volumes for FSx for OpenZFS file systems. | November 26, 2023 @@ -169,0 +174 @@ AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added n +AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added new permissions to allow Amazon FSx to manage network configurations for FSx for OpenZFS Multi-AZ file systems. | August 9, 2023 @@ -173,3 +178,2 @@ AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx updated -AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added new permissions to allow Amazon FSx to manage network configurations for FSx for OpenZFS Multi-AZ file systems. | June 26, 2023 -AmazonFSxFullAccess – Update to an existing policy | Amazon FSx revised existing permissions to allow principals to manage the CloudWatch Logs resources associated with an FSx for Lustre file system or an Amazon File Cache cache. This is required so that Amazon FSx can verify that the principal is authorized to configure an FSx for Lustre file system or an Amazon File Cache cache to log to CloudWatch. | September 29, 2022 -AmazonFSxFullAccess – Update to an existing policy | Amazon FSx added new permissions to allow Amazon FSx to describe Amazon EC2 network resources when creating an Amazon File Cache. | September 29, 2022 +AmazonFSxConsoleReadOnlyAccess – Update to an existing policy | Amazon FSx added new permissions to enable users to view enhanced performance metrics and recommended actions for FSx for Windows File Server file systems in the Amazon FSx console. | September 21, 2022 +AmazonFSxConsoleFullAccess – Update to an existing policy | Amazon FSx added new permissions to enable users to view enhanced performance metrics and recommended actions for FSx for Windows File Server file systems in the Amazon FSx console. | September 21, 2022