AWS rolesanywhere documentation change
Summary
Added JSON policy example for CloudWatch metric permissions with namespace conditions
Security assessment
Added documentation about required permissions for service-linked roles, including conditional access for CloudWatch metrics. This enhances security documentation but does not indicate a specific security issue being addressed.
Diff
diff --git a/rolesanywhere/latest/userguide/using-service-linked-roles.md b/rolesanywhere/latest/userguide/using-service-linked-roles.md index b30f52174..abcf76fa6 100644 --- a//rolesanywhere/latest/userguide/using-service-linked-roles.md +++ b//rolesanywhere/latest/userguide/using-service-linked-roles.md @@ -42,0 +43,6 @@ The role permissions policy named AWSRolesAnywhereServicePolicy allows IAM Roles +JSON + + +**** + + @@ -73,0 +80,31 @@ The role permissions policy named AWSRolesAnywhereServicePolicy allows IAM Roles + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": [ + "AWS/RolesAnywhere", + "AWS/Usage" + ] + } + } + } + ] + } + + +