AWS AWSCloudFormation medium security documentation change
Summary
Clarified resource-based policy requirements: restricted to JSON format, added 20KB size limit with whitespace counting, specified required IAM actions for policy attachment
Security assessment
Explicitly specifies security-related constraints (policy format restrictions, size limits) and required IAM permissions for secure policy attachment. The added IAM action requirements (CreateTable and PutResourcePolicy) directly relate to access control enforcement.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.md index 1a02ae450..463a12257 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-dynamodb-table.md @@ -274 +274 @@ _Required_ : Conditional -A resource-based policy document that contains permissions to add to the specified table. In a CloudFormation template, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to DynamoDB. For more information about resource-based policies, see [Using resource-based policies for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) and [Resource-based policy examples](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html). +An AWS resource-based policy document in JSON format that will be attached to the table. @@ -276 +276,7 @@ A resource-based policy document that contains permissions to add to the specifi -When you attach a resource-based policy while creating a table, the policy creation is _strongly consistent_. For information about the considerations that you should keep in mind while attaching a resource-based policy, see [Resource-based policy considerations](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html). +When you attach a resource-based policy while creating a table, the policy application is _strongly consistent_. + +The maximum size supported for a resource-based policy document is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit. For a full list of all considerations that apply for resource-based policies, see [Resource-based policy considerations](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html). + +###### Note + +You need to specify the `CreateTable` and `PutResourcePolicy` IAM actions for authorizing a user to create a table with a resource-based policy.