AWS datazone documentation change
Summary
Replaced full IAM policy JSON with a link to AWS Managed Policy Reference documentation
Security assessment
The change removes detailed IAM policy permissions from inline documentation and replaces them with a reference link. While IAM policies are security-related constructs, this change itself is a documentation formatting update rather than addressing a specific security vulnerability or adding new security guidance. The policy permissions remain the same, just referenced externally.
Diff
diff --git a/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md b/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md index c97f68132..1ad96cbda 100644 --- a//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md +++ b//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneFullAccess.md @@ -48,385 +48 @@ This policy includes the following permissions: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AmazonDataZoneStatement", - "Effect": "Allow", - "Action": [ - "datazone:*" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "ReadOnlyStatement", - "Effect": "Allow", - "Action": [ - "kms:DescribeKey", - "kms:ListAliases", - "iam:ListRoles", - "sso:DescribeRegisteredRegions", - "s3:ListAllMyBuckets", - "redshift:DescribeClusters", - "redshift-serverless:ListWorkgroups", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "secretsmanager:ListSecrets", - "iam:ListUsers", - "glue:GetDatabases", - "codeconnections:ListConnections", - "codeconnections:ListTagsForResource", - "codewhisperer:ListProfiles", - "bedrock:ListInferenceProfiles", - "bedrock:ListFoundationModels", - "bedrock:ListTagsForResource", - "aoss:ListSecurityPolicies" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "BucketReadOnlyStatement", - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:GetBucketLocation" - ], - "Resource": "arn:aws:s3:::*" - }, - { - "Sid": "CreateBucketStatement", - "Effect": "Allow", - "Action": [ - "s3:CreateBucket" - ], - "Resource": [ - "arn:aws:s3:::amazon-datazone*", - "arn:aws:s3:::amazon-sagemaker*" - ] - }, - { - "Sid": "ConfigureBucketStatement", - "Effect": "Allow", - "Action": [ - "s3:PutBucketCORS", - "s3:PutBucketPolicy", - "s3:PutBucketVersioning" - ], - "Resource": [ - "arn:aws:s3:::amazon-sagemaker*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "RamCreateResourceStatement", - "Effect": "Allow", - "Action": [ - "ram:CreateResourceShare" - ], - "Resource": "*", - "Condition": { - "StringEqualsIfExists": { - "ram:RequestedResourceType": "datazone:Domain" - } - } - }, - { - "Sid": "RamResourceStatement", - "Effect": "Allow", - "Action": [ - "ram:DeleteResourceShare", - "ram:AssociateResourceShare", - "ram:DisassociateResourceShare", - "ram:RejectResourceShareInvitation" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ram:ResourceShareName": [ - "DataZone*" - ] - } - } - }, - { - "Sid": "RamResourceReadOnlyStatement", - "Effect": "Allow", - "Action": [ - "ram:GetResourceShares", - "ram:GetResourceShareInvitations", - "ram:GetResourceShareAssociations", - "ram:ListResourceSharePermissions" - ], - "Resource": "*" - }, - { - "Sid": "RamAssociateResourceSharePermissionStatement", - "Effect": "Allow", - "Action": "ram:AssociateResourceSharePermission", - "Resource": "*", - "Condition": { - "StringEquals": { - "ram:PermissionArn": [ - "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAmazonDataZoneDomain", - "arn:aws:ram::aws:permission/AWSRAMPermissionAmazonDataZoneDomainFullAccessWithPortalAccess", - "arn:aws:ram::aws:permission/AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceAccess", - "arn:aws:ram::aws:permission/AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceWithPortalAccess" - ] - } - } - }, - { - "Sid": "IAMPassRoleStatement", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": [ - "arn:aws:iam::*:role/AmazonDataZone*", - "arn:aws:iam::*:role/service-role/AmazonDataZone*", - "arn:aws:iam::*:role/service-role/AmazonSageMaker*" - ], - "Condition": { - "StringEquals": { - "iam:passedToService": "datazone.amazonaws.com" - } - } - }, - { - "Sid": "IAMGetPolicyStatement", - "Effect": "Allow", - "Action": "iam:GetPolicy", - "Resource": [ - "arn:aws:iam::*:policy/service-role/AmazonDataZoneRedshiftAccessPolicy*" - ] - }, - { - "Sid": "DataZoneTagOnCreateDomainProjectTags", - "Effect": "Allow", - "Action": [ - "secretsmanager:TagResource" - ], - "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", - "Condition": { - "ForAllValues:StringEquals": { - "aws:TagKeys": [ - "AmazonDataZoneDomain", - "AmazonDataZoneProject" - ] - }, - "StringLike": { - "aws:RequestTag/AmazonDataZoneDomain": "dzd_*", - "aws:ResourceTag/AmazonDataZoneDomain": "dzd_*" - } - } - }, - { - "Sid": "DataZoneTagOnCreate", - "Effect": "Allow", - "Action": [ - "secretsmanager:TagResource" - ], - "Resource": "arn:aws:secretsmanager:*:*:secret:AmazonDataZone-*", - "Condition": { - "ForAllValues:StringEquals": { - "aws:TagKeys": [ - "AmazonDataZoneDomain" - ] - }, - "StringLike": {