AWS Security ChangesHomeSearch

AWS xray documentation change

Service: xray · 2025-07-18 · Documentation low

File: xray/latest/devguide/security_iam_id-based-policy-examples.md

Summary

Updated IAM policy examples and explanations for tag-based access control in X-Ray, replacing group management examples with sampling rule restrictions and tag enforcement

Security assessment

The change enhances documentation about using IAM tag conditions to control access to X-Ray resources, but shows no evidence of addressing a specific vulnerability. Focuses on security best practices for tag-based access control without referencing exploits or vulnerabilities.

Diff

diff --git a/xray/latest/devguide/security_iam_id-based-policy-examples.md b/xray/latest/devguide/security_iam_id-based-policy-examples.md
index 6de4dcfff..649b29026 100644
--- a//xray/latest/devguide/security_iam_id-based-policy-examples.md
+++ b//xray/latest/devguide/security_iam_id-based-policy-examples.md
@@ -101,2 +101 @@ You can use conditions in your identity-based policy to control access to X-Ray
-To deny a user access to create, update, or delete a group with a tag `stage:prod` or `stage:preprod`, assign the user a role with a policy similar to the following.
-    
+To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags that cannot be passed as part of a creation request. To deny the update or deletion of a sampling rule, use `aws:ResourceTag` to deny actions based on the tags on those resources.
@@ -104,44 +103 @@ To deny a user access to create, update, or delete a group with a tag `stage:pro
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "AllowAllXRay",
-                "Effect": "Allow",
-                "Action": "xray:*",
-                "Resource": "*"
-            },
-            {
-                "Sid": "DenyCreateGroupWithStage",
-                "Effect": "Deny",
-                "Action": [
-                    "xray:CreateGroup"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:RequestTag/stage": [
-                            "preprod",
-                            "prod"
-                        ]
-                    }
-                }
-            },
-            {
-                "Sid": "DenyUpdateGroupWithStage",
-                "Effect": "Deny",
-                "Action": [
-                    "xray:UpdateGroup",
-                    "xray:DeleteGroup"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:ResourceTag/stage": [
-                            "preprod",
-                            "prod"
-                        ]
-                    }
-                }
-            }
-        ]
-    }
+You can attach these policies (or combine them into a single policy, then attach the policy) to the users in your account. For the user to make changes to a group or sampling rule, the group or sampling rule must not be tagged `stage=prepod` or `stage=prod`. The condition tag key `Stage` matches both `Stage` and `stage` because condition key names are not case-sensitive. For more information about the condition block, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_.
@@ -149 +105 @@ To deny a user access to create, update, or delete a group with a tag `stage:pro
-To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags that cannot be passed as part of a creation request. To deny the update or deletion of a sampling rule, use `aws:ResourceTag` to deny actions based on the tags on those resources.
+A user with a role that has the following policy attached cannot add the tag `role:admin` to resources, and cannot remove tags from a resource that has `role:admin` associated with it.
@@ -150,0 +107 @@ To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags t
+JSON
@@ -152,42 +108,0 @@ To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags t
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "AllowAllXRay",
-                "Effect": "Allow",
-                "Action": "xray:*",
-                "Resource": "*"
-            },
-            {
-                "Sid": "DenyCreateSamplingRuleWithStage",
-                "Effect": "Deny",
-                "Action": "xray:CreateSamplingRule",
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:RequestTag/stage": [
-                            "preprod",
-                            "prod"
-                        ]
-                    }
-                }
-            },
-            {
-                "Sid": "DenyUpdateSamplingRuleWithStage",
-                "Effect": "Deny",
-                "Action": [
-                    "xray:UpdateSamplingRule",
-                    "xray:DeleteSamplingRule"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:ResourceTag/stage": [
-                            "preprod",
-                            "prod"
-                        ]
-                    }
-                }
-            }
-        ]
-    }
@@ -195 +110 @@ To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags t
-You can attach these policies (or combine them into a single policy, then attach the policy) to the users in your account. For the user to make changes to a group or sampling rule, the group or sampling rule must not be tagged `stage=prepod` or `stage=prod`. The condition tag key `Stage` matches both `Stage` and `stage` because condition key names are not case-sensitive. For more information about the condition block, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_.
+****
@@ -197 +111,0 @@ You can attach these policies (or combine them into a single policy, then attach
-A user with a role that has the following policy attached cannot add the tag `role:admin` to resources, and cannot remove tags from a resource that has `role:admin` associated with it.
@@ -281,0 +197,6 @@ To make granting permissions easy, IAM supports **managed policies** for each se
+JSON
+    
+
+****
+    
+    
@@ -302,0 +225,6 @@ To make granting permissions easy, IAM supports **managed policies** for each se
+JSON
+    
+
+****
+    
+    
@@ -339,0 +269,6 @@ To make granting permissions easy, IAM supports **managed policies** for each se
+JSON
+    
+
+****
+    
+    
@@ -415,0 +352,6 @@ The following is an example of an identity-based permissions policy for a `Creat
+JSON
+    
+
+****
+    
+    
@@ -433,0 +377,6 @@ The following is an example of an identity-based permissions policy for a `Creat
+JSON
+    
+
+****
+    
+