AWS AWSEC2 documentation change
Summary
Updated example IAM policies to use concrete account ID '111122223333' and region 'us-east-1' instead of placeholders. Standardized formatting of ARNs and region references.
Security assessment
Changes primarily replace placeholder values (account-id, region) with concrete examples. While proper resource ARN specification is a security best practice, this appears to be routine documentation standardization rather than addressing a specific security vulnerability. No evidence of patching a security flaw or introducing new security controls.
Diff
diff --git a/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md b/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md index fdf6d7814..4df0355db 100644 --- a//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md +++ b//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md @@ -145 +145 @@ The users don't have permission to use any other API actions (unless another sta -The following policy allows users to describe all instances, to start and stop only instances i-1234567890abcdef0 and i-0598c7d356eba48d7, and to terminate only instances in the US East (N. Virginia) Region (`us-east-1`) with the resource tag "`purpose=test`". +The following policy allows users to describe all instances, to start and stop only instances i-1234567890abcdef0 and i-0598c7d356eba48d7, and to terminate only instances in the `us-east-1` Region, with the resource tag "`purpose=test`". @@ -151 +151 @@ The second statement uses resource-level permissions for the `StopInstances` and -The third statement allows users to terminate all instances in the US East (N. Virginia) Region (`us-east-1`) that belong to the specified AWS account, but only where the instance has the tag `"purpose=test"`. The `Condition` element qualifies when the policy statement is in effect. +The third statement allows users to terminate all instances in the `us-east-1` Region that belong to the specified AWS account, but only where the instance has the tag `"purpose=test"`. The `Condition` element qualifies when the policy statement is in effect. @@ -169,2 +169,2 @@ The third statement allows users to terminate all instances in the US East (N. V - "arn:aws:ec2:us-east-1:account-id:instance/i-1234567890abcdef0", - "arn:aws:ec2:us-east-1:account-id:instance/i-0598c7d356eba48d7" + "arn:aws:ec2:us-east-1:111122223333:instance/i-1234567890abcdef0", + "arn:aws:ec2:us-east-1:111122223333:instance/i-0598c7d356eba48d7" @@ -176 +176 @@ The third statement allows users to terminate all instances in the US East (N. V - "Resource": "arn:aws:ec2:us-east-1:account-id:instance/*", + "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*", @@ -228,8 +228,8 @@ The following policy allows users to launch instances using only the specified A - "arn:aws:ec2:region::image/ami-9e1670f7", - "arn:aws:ec2:region::image/ami-45cf5c3c", - "arn:aws:ec2:region:account-id:instance/*", - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:key-pair/*", - "arn:aws:ec2:region:account-id:security-group/*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:network-interface/*" + "arn:aws:ec2:us-east-1::image/ami-9e1670f7", + "arn:aws:ec2:us-east-1::image/ami-45cf5c3c", + "arn:aws:ec2:us-east-1:111122223333:instance/*", + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*" @@ -251 +251 @@ Alternatively, the following policy allows users to launch instances from all AM - "arn:aws:ec2:region::image/ami-*" + "arn:aws:ec2:us-east-1::image/ami-*" @@ -263,6 +263,6 @@ Alternatively, the following policy allows users to launch instances from all AM - "arn:aws:ec2:region:account-id:instance/*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:key-pair/*", - "arn:aws:ec2:region:account-id:security-group/*" + "arn:aws:ec2:us-east-1:111122223333:instance/*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*" @@ -286 +286 @@ The following policy allows users to launch instances using only the `t2.micro` - "arn:aws:ec2:region:account-id:instance/*" + "arn:aws:ec2:us-east-1:111122223333:instance/*" @@ -298,6 +298,6 @@ The following policy allows users to launch instances using only the `t2.micro` - "arn:aws:ec2:region::image/ami-*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:key-pair/*", - "arn:aws:ec2:region:account-id:security-group/*" + "arn:aws:ec2:us-east-1::image/ami-*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*" @@ -319 +319 @@ Alternatively, you can create a policy that denies users permissions to launch a - "arn:aws:ec2:region:account-id:instance/*" + "arn:aws:ec2:us-east-1:111122223333:instance/*" @@ -331,7 +331,7 @@ Alternatively, you can create a policy that denies users permissions to launch a - "arn:aws:ec2:region::image/ami-*", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:instance/*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:key-pair/*", - "arn:aws:ec2:region:account-id:security-group/*" + "arn:aws:ec2:us-east-1::image/ami-*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:instance/*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*" @@ -355,7 +355,7 @@ The following policy allows users to launch instances using only the specified s - "arn:aws:ec2:region:account-id:subnet/subnet-12345678", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:instance/*", - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region::image/ami-*", - "arn:aws:ec2:region:account-id:key-pair/*", - "arn:aws:ec2:region:account-id:security-group/*" + "arn:aws:ec2:us-east-1:111122223333:subnet/subnet-12345678", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:instance/*", + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1::image/ami-*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*" @@ -377 +377 @@ Alternatively, you could create a policy that denies users permissions to launch - "arn:aws:ec2:region:account-id:network-interface/*" + "arn:aws:ec2:us-east-1:111122223333:network-interface/*" @@ -381 +381 @@ Alternatively, you could create a policy that denies users permissions to launch - "ec2:Subnet": "arn:aws:ec2:region:account-id:subnet/subnet-12345678" + "ec2:Subnet": "arn:aws:ec2:us-east-1:111122223333:subnet/subnet-12345678" @@ -389,7 +389,7 @@ Alternatively, you could create a policy that denies users permissions to launch - "arn:aws:ec2:region::image/ami-*", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:instance/*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:key-pair/*", - "arn:aws:ec2:region:account-id:security-group/*" + "arn:aws:ec2:us-east-1::image/ami-*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:instance/*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*" @@ -460 +460 @@ For more information, see [Grant permission to tag Amazon EC2 resources during c - "Resource": "arn:aws:ec2:us-east-1:account-id:instance/*", + "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*", @@ -484,5 +484,5 @@ The following policy includes the `aws:RequestTag` condition key that requires u - "arn:aws:ec2:region::image/*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:security-group/*", - "arn:aws:ec2:region:account-id:key-pair/*" + "arn:aws:ec2:us-east-1::image/*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*" @@ -497,2 +497,2 @@ The following policy includes the `aws:RequestTag` condition key that requires u - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:instance/*" + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:instance/*" @@ -512 +512 @@ The following policy includes the `aws:RequestTag` condition key that requires u - "Resource": "arn:aws:ec2:region:account-id:*/*", + "Resource": "arn:aws:ec2:us-east-1:111122223333:*/*", @@ -536,5 +536,5 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit - "arn:aws:ec2:region::image/*", - "arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:network-interface/*", - "arn:aws:ec2:region:account-id:security-group/*", - "arn:aws:ec2:region:account-id:key-pair/*" + "arn:aws:ec2:us-east-1::image/*", + "arn:aws:ec2:us-east-1:111122223333:subnet/*", + "arn:aws:ec2:us-east-1:111122223333:network-interface/*", + "arn:aws:ec2:us-east-1:111122223333:security-group/*", + "arn:aws:ec2:us-east-1:111122223333:key-pair/*" @@ -549,2 +549,2 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit - "arn:aws:ec2:region:account-id:volume/*", - "arn:aws:ec2:region:account-id:instance/*" + "arn:aws:ec2:us-east-1:111122223333:volume/*", + "arn:aws:ec2:us-east-1:111122223333:instance/*" @@ -563 +563 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit - "Resource": "arn:aws:ec2:region:account-id:*/*", + "Resource": "arn:aws:ec2:us-east-1:111122223333:*/*", @@ -593 +593 @@ In the following policy, users do not have to specify tags in the request, but i - "Resource": "arn:aws:ec2:region:account-id:*/*", + "Resource": "arn:aws:ec2:us-east-1:111122223333:*/*", @@ -631 +630,0 @@ To disallow anyone called tag on create for RunInstances - "Sid": "VisualEditor0", @@ -662 +660,0 @@ Only allow specific tags for spot-instances-request. Surprise inconsistency numb - "Sid": "VisualEditor0", @@ -689 +687 @@ In the following example, users can launch instances, but only if they use a spe - "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e" + "ec2:LaunchTemplate": "arn:aws:ec2:us-east-1:111122223333:launch-template/lt-09477bcd97b0d310e" @@ -701 +699 @@ In the following example, users can launch instances, but only if they use a spe - "Resource": "arn:aws:ec2:region:account-id:instance/*", + "Resource": "arn:aws:ec2:us-east-1:111122223333:instance/*", @@ -727 +725 @@ The `ec2:ElasticGpuType` condition key ensures that instances use either the `eg - "arn:aws:ec2:*:account-id:elastic-gpu/*" + "arn:aws:ec2:*:111122223333:elastic-gpu/*" @@ -744,6 +742,6 @@ The `ec2:ElasticGpuType` condition key ensures that instances use either the `eg - "arn:aws:ec2:*:account-id:network-interface/*", - "arn:aws:ec2:*:account-id:instance/*", - "arn:aws:ec2:*:account-id:subnet/*", - "arn:aws:ec2:*:account-id:volume/*", - "arn:aws:ec2:*:account-id:key-pair/*", - "arn:aws:ec2:*:account-id:security-group/*" + "arn:aws:ec2:*:111122223333:network-interface/*", + "arn:aws:ec2:*:111122223333:instance/*", + "arn:aws:ec2:*:111122223333:subnet/*", + "arn:aws:ec2:*:111122223333:volume/*", + "arn:aws:ec2:*:111122223333:key-pair/*", + "arn:aws:ec2:*:111122223333:security-group/*" @@ -769 +767 @@ In the following example, users can launch instances, but only if they use a spe - "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/lt-09477bcd97b0d310e" + "ec2:LaunchTemplate": "arn:aws:ec2:us-east-1:111122223333:launch-template/lt-09477bcd97b0d310e" @@ -788 +786 @@ In this example, users can launch instances only if they use a launch template. - "ec2:LaunchTemplate": "arn:aws:ec2:region:account-id:launch-template/*" + "ec2:LaunchTemplate": "arn:aws:ec2:us-east-1:111122223333:launch-template/*" @@ -807,2 +805,2 @@ The following example policy allows user to launch instances, but only if they u - "NotResource": ["arn:aws:ec2:region:account-id:subnet/*", - "arn:aws:ec2:region:account-id:network-interface/*" ],