AWS privateca documentation change
Summary
Replaced inline JSON policy definitions with links to AWS managed policy references
Security assessment
The change removes verbose inline IAM policy JSON in favor of referencing managed policies. While this improves maintainability, there is no evidence it addresses a specific security vulnerability or adds new security documentation.
Diff
diff --git a/privateca/latest/userguide/auth-AwsManagedPolicies.md b/privateca/latest/userguide/auth-AwsManagedPolicies.md index 7c249c256..328ca10bc 100644 --- a//privateca/latest/userguide/auth-AwsManagedPolicies.md +++ b//privateca/latest/userguide/auth-AwsManagedPolicies.md @@ -15,13 +15 @@ Grants unrestricted administrative control. - - { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Action":[ - "acm-pca:*" - ], - "Resource":"*" - } - ] - } +For a JSON listing of the policy details, see [AWSPrivateCAFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAFullAccess.html). @@ -31,19 +19 @@ Grants access limited to read-only API operations. - - { - "Version":"2012-10-17", - "Statement":{ - "Effect":"Allow", - "Action":[ - "acm-pca:DescribeCertificateAuthority", - "acm-pca:DescribeCertificateAuthorityAuditReport", - "acm-pca:ListCertificateAuthorities", - "acm-pca:GetCertificateAuthorityCsr", - "acm-pca:GetCertificateAuthorityCertificate", - "acm-pca:GetCertificate", - "acm-pca:GetPolicy", - "acm-pca:ListPermissions", - "acm-pca:ListTags" - ], - "Resource":"*" - } - } +For a JSON listing of the policy details, see [AWSPrivateCAReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAReadOnly.html). @@ -53,50 +23 @@ Grants ability to issue and revoke CA certificates. This policy has no other adm - - { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Action":[ - "acm-pca:IssueCertificate" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", - "Condition":{ - "ArnLike":{ - "acm-pca:TemplateArn":[ - "arn:aws:acm-pca:*:*:template/*CACertificate*/V*" - ] - } - } - }, - { - "Effect":"Deny", - "Action":[ - "acm-pca:IssueCertificate" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", - "Condition":{ - "ArnNotLike":{ - "acm-pca:TemplateArn":[ - "arn:aws:acm-pca:*:*:template/*CACertificate*/V*" - ] - } - } - }, - { - "Effect":"Allow", - "Action":[ - "acm-pca:RevokeCertificate", - "acm-pca:GetCertificate", - "acm-pca:ListPermissions" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" - }, - { - "Effect":"Allow", - "Action":[ - "acm-pca:ListCertificateAuthorities" - ], - "Resource":"*" - } - ] - } +For a JSON listing of the policy details, see [AWSPrivateCAPrivilegedUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAPrivilegedUser.html). @@ -106,50 +27 @@ Grant ability to issue and revoke end-entity certificates. This policy has no ad - - { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Action":[ - "acm-pca:IssueCertificate" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", - "Condition":{ - "ArnLike":{ - "acm-pca:TemplateArn":[ - "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*" - ] - } - } - }, - { - "Effect":"Deny", - "Action":[ - "acm-pca:IssueCertificate" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", - "Condition":{ - "ArnNotLike":{ - "acm-pca:TemplateArn":[ - "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*" - ] - } - } - }, - { - "Effect":"Allow", - "Action":[ - "acm-pca:RevokeCertificate", - "acm-pca:GetCertificate", - "acm-pca:ListPermissions" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" - }, - { - "Effect":"Allow", - "Action":[ - "acm-pca:ListCertificateAuthorities" - ], - "Resource":"*" - } - ] - } +For a JSON listing of the policy details, see [AWSPrivateCAUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAUser.html). @@ -159,28 +31 @@ Grant access to read-only API operations and permission to generate a CA audit r - - { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Action":[ - "acm-pca:CreateCertificateAuthorityAuditReport", - "acm-pca:DescribeCertificateAuthority", - "acm-pca:DescribeCertificateAuthorityAuditReport", - "acm-pca:GetCertificateAuthorityCsr", - "acm-pca:GetCertificateAuthorityCertificate", - "acm-pca:GetCertificate", - "acm-pca:GetPolicy", - "acm-pca:ListPermissions", - "acm-pca:ListTags" - ], - "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" - }, - { - "Effect":"Allow", - "Action":[ - "acm-pca:ListCertificateAuthorities" - ], - "Resource":"*" - } - ] - } +For a JSON listing of the policy details, see [AWSPrivateCAAuditor](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAAuditor.html). @@ -190,15 +35 @@ Grants essential permissions for the AWS Private CA Connector for Kubernetes. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "acm-pca:DescribeCertificateAuthority", - "acm-pca:GetCertificate", - "acm-pca:IssueCertificate" - ], - "Resource": "arn:aws:acm-pca:*:*:certificate-authority/*" - } - ] - } +For a JSON listing of the policy details, see [AWSPrivateCAConnectorForKubernetesPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAConnectorForKubernetesPolicy.html).