AWS Security ChangesHomeSearch

AWS audit-manager high security documentation change

Service: audit-manager · 2025-07-18 · Security-related high

File: audit-manager/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Added JSON formatting blocks and modified IAM policy examples - changed Service value to '.amazonaws.com' wildcard and altered SourceArn format

Security assessment

The change to a wildcard '.amazonaws.com' Service value and modified SourceArn pattern reduces specificity in IAM policies, potentially creating over-permissive access if used without adjustment. This could lead to privilege escalation risks if users copy these examples without proper validation.

Diff

diff --git a/audit-manager/latest/userguide/security_iam_id-based-policy-examples.md b/audit-manager/latest/userguide/security_iam_id-based-policy-examples.md
index 9565b0f42..ac2c603f8 100644
--- a//audit-manager/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//audit-manager/latest/userguide/security_iam_id-based-policy-examples.md
@@ -78,0 +79,6 @@ To grant the minimum access required to enable Audit Manager, use the following
+JSON
+    
+
+****
+    
+    
@@ -197,0 +205,6 @@ The following permission policy is required if you want to enable and use the ev
+JSON
+    
+
+****
+    
+    
@@ -229,0 +244,6 @@ Before you use this policy, replace the `placeholder text` with your own informa
+JSON
+    
+
+****
+    
+    
@@ -250,0 +272,6 @@ This policy grants the ability to manage all Audit Manager resources (assessment
+JSON
+    
+
+****
+    
+    
@@ -393,0 +422,6 @@ This policy grants read-only access to AWS Audit Manager resources such as asses
+JSON
+    
+
+****
+    
+    
@@ -475,0 +511,6 @@ Before using this policy, replace the `placeholder text` with your own informati
+JSON
+    
+
+****
+    
+    
@@ -483 +524 @@ Before using this policy, replace the `placeholder text` with your own informati
-            "Service": "auditmanager.amazonaws.com"
+            "Service": ".amazonaws.com"
@@ -492 +533 @@ Before using this policy, replace the `placeholder text` with your own informati
-              "aws:SourceArn": "arn:aws:auditmanager:region:accountID:*"
+              "aws:SourceArn": "arn:aws::region:accountID:*"
@@ -578,0 +621,6 @@ The following policy grants permissions to perform queries on a CloudTrail Lake
+JSON
+    
+
+****
+    
+