AWS AWSEC2 medium security documentation change
Summary
Modified IAM policy to: 1) Remove iam:CreateServiceLinkedRole permission 2) Add specific resource ARNs 3) Simplify policy statement IDs
Security assessment
Security improvement through least-privilege adjustments: Removed ability to create service-linked roles and constrained permissions to specific resources. Directly impacts security posture by reducing attack surface.
Diff
diff --git a/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md b/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md index 47c41d863..d8ba60402 100644 --- a//AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md +++ b//AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md @@ -65 +65,2 @@ JSON - "Statement": [{ + "Statement": [ + { @@ -71,2 +72 @@ JSON - "ec2:CreateTags", - "iam:CreateServiceLinkedRole" + "ec2:CreateTags" @@ -75 +75,6 @@ JSON - "Resource": "arn:aws:ec2:region:account-id:subnet/*" + "Resource": [ + "arn:aws:ec2:region:account-id:subnet/*", + "arn:aws:ec2:region:account-id:security-group/*", + "arn:aws:ec2:region:account-id:network-interface/*", + "arn:aws:ec2:region:account-id:instance-connect-endpoint/*" + ] @@ -79 +84 @@ JSON - "ec2:CreateNetworkInterface" + "iam:CreateServiceLinkedRole" @@ -82 +87,3 @@ JSON - "Resource": "arn:aws:ec2:::security-group/*" + "Resource": [ + "arn:aws:iam::account-id:role/aws-service-role/ec2-instance-connect.amazonaws.com/AWSServiceRoleForEc2InstanceConnect" + ] @@ -85 +92 @@ JSON - "Sid": "DescribeInstanceConnectEndpoints", + "Sid": "Describe",