AWS datazone documentation change
Summary
Replaced detailed inline IAM policy JSON with a reference link to AWS Managed Policy documentation
Security assessment
The change removes explicit policy details and directs users to managed policy reference. While IAM policies are security-related, there's no evidence this change addresses a specific security vulnerability. It appears to be a documentation simplification rather than a security fix. The policy remains focused on Redshift data access permissions which are security features.
Diff
diff --git a/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneRedshiftManageAccessRolePolicy.md b/datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneRedshiftManageAccessRolePolicy.md index 4579291b9..c58ddbed9 100644 --- a//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneRedshiftManageAccessRolePolicy.md +++ b//datazone/latest/userguide/security-iam-awsmanpol-AmazonDataZoneRedshiftManageAccessRolePolicy.md @@ -9,92 +9 @@ This policy gives Amazon DataZone permissions to publish Amazon Redshift data to - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "redshiftDataScopeDownPermissions", - "Effect": "Allow", - "Action": [ - "redshift-data:BatchExecuteStatement", - "redshift-data:DescribeTable", - "redshift-data:ExecuteStatement", - "redshift-data:ListTables", - "redshift-data:ListSchemas", - "redshift-data:ListDatabases" - ], - "Resource": [ - "arn:aws:redshift-serverless:*:*:workgroup/*", - "arn:aws:redshift:*:*:cluster:*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "listSecretsPermission", - "Effect": "Allow", - "Action": "secretsmanager:ListSecrets", - "Resource": "*" - }, - { - "Sid": "getWorkgroupPermission", - "Effect": "Allow", - "Action": "redshift-serverless:GetWorkgroup", - "Resource": [ - "arn:aws:redshift-serverless:*:*:workgroup/*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "getNamespacePermission", - "Effect": "Allow", - "Action": "redshift-serverless:GetNamespace", - "Resource": [ - "arn:aws:redshift-serverless:*:*:namespace/*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "redshiftDataPermissions", - "Effect": "Allow", - "Action": [ - "redshift-data:DescribeStatement", - "redshift-data:GetStatementResult", - "redshift:DescribeClusters" - ], - "Resource": "*" - }, - { - "Sid": "dataSharesPermissions", - "Effect": "Allow", - "Action": [ - "redshift:AuthorizeDataShare", - "redshift:DescribeDataShares" - ], - "Resource": [ - "arn:aws:redshift:*:*:datashare:*/datazone*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "associateDataShareConsumerPermission", - "Effect": "Allow", - "Action": "redshift:AssociateDataShareConsumer", - "Resource": "arn:aws:redshift:*:*:datashare:*/datazone*" - } - ] - } - +To view the permissions for this policy, see [AmazonDataZoneRedshiftManageAccessRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDataZoneRedshiftManageAccessRolePolicy.html) in the _AWS Managed Policy Reference_.