AWS xray documentation change
Summary
Updated IAM policy examples and explanations for tag-based access control in X-Ray, replacing group management examples with sampling rule restrictions and tag enforcement
Security assessment
The change enhances documentation about using IAM tag conditions to control access to X-Ray resources, but shows no evidence of addressing a specific vulnerability. Focuses on security best practices for tag-based access control without referencing exploits or vulnerabilities.
Diff
diff --git a/xray/latest/devguide/security_iam_id-based-policy-examples.md b/xray/latest/devguide/security_iam_id-based-policy-examples.md index 6de4dcfff..649b29026 100644 --- a//xray/latest/devguide/security_iam_id-based-policy-examples.md +++ b//xray/latest/devguide/security_iam_id-based-policy-examples.md @@ -101,2 +101 @@ You can use conditions in your identity-based policy to control access to X-Ray -To deny a user access to create, update, or delete a group with a tag `stage:prod` or `stage:preprod`, assign the user a role with a policy similar to the following. - +To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags that cannot be passed as part of a creation request. To deny the update or deletion of a sampling rule, use `aws:ResourceTag` to deny actions based on the tags on those resources. @@ -104,44 +103 @@ To deny a user access to create, update, or delete a group with a tag `stage:pro - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAllXRay", - "Effect": "Allow", - "Action": "xray:*", - "Resource": "*" - }, - { - "Sid": "DenyCreateGroupWithStage", - "Effect": "Deny", - "Action": [ - "xray:CreateGroup" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/stage": [ - "preprod", - "prod" - ] - } - } - }, - { - "Sid": "DenyUpdateGroupWithStage", - "Effect": "Deny", - "Action": [ - "xray:UpdateGroup", - "xray:DeleteGroup" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/stage": [ - "preprod", - "prod" - ] - } - } - } - ] - } +You can attach these policies (or combine them into a single policy, then attach the policy) to the users in your account. For the user to make changes to a group or sampling rule, the group or sampling rule must not be tagged `stage=prepod` or `stage=prod`. The condition tag key `Stage` matches both `Stage` and `stage` because condition key names are not case-sensitive. For more information about the condition block, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_. @@ -149 +105 @@ To deny a user access to create, update, or delete a group with a tag `stage:pro -To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags that cannot be passed as part of a creation request. To deny the update or deletion of a sampling rule, use `aws:ResourceTag` to deny actions based on the tags on those resources. +A user with a role that has the following policy attached cannot add the tag `role:admin` to resources, and cannot remove tags from a resource that has `role:admin` associated with it. @@ -150,0 +107 @@ To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags t +JSON @@ -152,42 +108,0 @@ To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags t - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAllXRay", - "Effect": "Allow", - "Action": "xray:*", - "Resource": "*" - }, - { - "Sid": "DenyCreateSamplingRuleWithStage", - "Effect": "Deny", - "Action": "xray:CreateSamplingRule", - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/stage": [ - "preprod", - "prod" - ] - } - } - }, - { - "Sid": "DenyUpdateSamplingRuleWithStage", - "Effect": "Deny", - "Action": [ - "xray:UpdateSamplingRule", - "xray:DeleteSamplingRule" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/stage": [ - "preprod", - "prod" - ] - } - } - } - ] - } @@ -195 +110 @@ To deny the creation of a sampling rule, use `aws:RequestTag` to indicate tags t -You can attach these policies (or combine them into a single policy, then attach the policy) to the users in your account. For the user to make changes to a group or sampling rule, the group or sampling rule must not be tagged `stage=prepod` or `stage=prod`. The condition tag key `Stage` matches both `Stage` and `stage` because condition key names are not case-sensitive. For more information about the condition block, see [IAM JSON Policy Elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_. +**** @@ -197 +111,0 @@ You can attach these policies (or combine them into a single policy, then attach -A user with a role that has the following policy attached cannot add the tag `role:admin` to resources, and cannot remove tags from a resource that has `role:admin` associated with it. @@ -281,0 +197,6 @@ To make granting permissions easy, IAM supports **managed policies** for each se +JSON + + +**** + + @@ -302,0 +225,6 @@ To make granting permissions easy, IAM supports **managed policies** for each se +JSON + + +**** + + @@ -339,0 +269,6 @@ To make granting permissions easy, IAM supports **managed policies** for each se +JSON + + +**** + + @@ -415,0 +352,6 @@ The following is an example of an identity-based permissions policy for a `Creat +JSON + + +**** + + @@ -433,0 +377,6 @@ The following is an example of an identity-based permissions policy for a `Creat +JSON + + +**** + +