AWS dms high security documentation change
Summary
Modified IAM policy syntax and added formatting. Changed policy actions/resources from 'dms:*' to ':*' and 'dms:endpoint-tag' to ':endpoint-tag'
Security assessment
The policy syntax changes introduce a security risk by broadening permissions (changing 'dms:*' to ':*' could allow unintended actions) and breaking tag-based condition keys. This appears to be an accidental removal of service prefix that would weaken security controls.
Diff
diff --git a/dms/latest/userguide/security_iam_id-based-policy-examples.md b/dms/latest/userguide/security_iam_id-based-policy-examples.md index d38302976..98a3d8a5e 100644 --- a//dms/latest/userguide/security_iam_id-based-policy-examples.md +++ b//dms/latest/userguide/security_iam_id-based-policy-examples.md @@ -50,0 +51,6 @@ The following policy gives you access to AWS DMS, including the AWS DMS console, +JSON + + +**** + + @@ -236,0 +244,6 @@ In addition to granting the `s3:PutObject`, `s3:GetObject`, and `s3:DeleteObject +JSON + + +**** + + @@ -271,0 +286,6 @@ You can use conditions in your identity-based policy to control access to AWS DM +JSON + + +**** + + @@ -278,2 +298,2 @@ You can use conditions in your identity-based policy to control access to AWS DM - "Action": "dms:*", - "Resource": "arn:aws:dms:*:*:endpoint/*", + "Action": ":*", + "Resource": "arn:aws::*:*:endpoint/*", @@ -281 +301 @@ You can use conditions in your identity-based policy to control access to AWS DM - "StringEquals": {"dms:endpoint-tag/Owner": "${aws:username}"} + "StringEquals": {":endpoint-tag/Owner": "${aws:username}"}