AWS rolesanywhere documentation change
Summary
Added CloudWatch metric policy with namespace restrictions
Security assessment
Documents security best practice by restricting CloudWatch permissions to specific namespaces, though no vulnerability is addressed
Diff
diff --git a/rolesanywhere/latest/userguide/security-iam-awsmanpol.md b/rolesanywhere/latest/userguide/security-iam-awsmanpol.md index 5b5361b4e..595e418dd 100644 --- a//rolesanywhere/latest/userguide/security-iam-awsmanpol.md +++ b//rolesanywhere/latest/userguide/security-iam-awsmanpol.md @@ -35,0 +36,6 @@ This policy includes the following permissions. +JSON + + +**** + + @@ -65,0 +72,30 @@ This policy includes the following permissions. + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": [ + "AWS/RolesAnywhere", + "AWS/Usage" + ] + } + } + } + ] + } + +