AWS Security ChangesHomeSearch

AWS dms high security documentation change

Service: dms · 2025-07-19 · Security-related high

File: dms/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Modified IAM policy syntax and added formatting. Changed policy actions/resources from 'dms:*' to ':*' and 'dms:endpoint-tag' to ':endpoint-tag'

Security assessment

The policy syntax changes introduce a security risk by broadening permissions (changing 'dms:*' to ':*' could allow unintended actions) and breaking tag-based condition keys. This appears to be an accidental removal of service prefix that would weaken security controls.

Diff

diff --git a/dms/latest/userguide/security_iam_id-based-policy-examples.md b/dms/latest/userguide/security_iam_id-based-policy-examples.md
index d38302976..98a3d8a5e 100644
--- a//dms/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//dms/latest/userguide/security_iam_id-based-policy-examples.md
@@ -50,0 +51,6 @@ The following policy gives you access to AWS DMS, including the AWS DMS console,
+JSON
+    
+
+****
+    
+    
@@ -236,0 +244,6 @@ In addition to granting the `s3:PutObject`, `s3:GetObject`, and `s3:DeleteObject
+JSON
+    
+
+****
+    
+    
@@ -271,0 +286,6 @@ You can use conditions in your identity-based policy to control access to AWS DM
+JSON
+    
+
+****
+    
+    
@@ -278,2 +298,2 @@ You can use conditions in your identity-based policy to control access to AWS DM
-                "Action": "dms:*",
-                "Resource": "arn:aws:dms:*:*:endpoint/*",
+                "Action": ":*",
+                "Resource": "arn:aws::*:*:endpoint/*",
@@ -281 +301 @@ You can use conditions in your identity-based policy to control access to AWS DM
-                    "StringEquals": {"dms:endpoint-tag/Owner": "${aws:username}"}
+                    "StringEquals": {":endpoint-tag/Owner": "${aws:username}"}