AWS athena documentation change
Summary
Updated JSON policy formatting and fixed KMS resource ARN region to us-east-1
Security assessment
The change standardizes policy syntax and fixes a region in a KMS ARN example. While region specificity is important for resource targeting, there's no evidence this addresses a security vulnerability.
Diff
diff --git a/athena/latest/ug/workgroups-identity-center.md b/athena/latest/ug/workgroups-identity-center.md index 2f271cd96..7d0c6180a 100644 --- a//athena/latest/ug/workgroups-identity-center.md +++ b//athena/latest/ug/workgroups-identity-center.md @@ -229,2 +229,5 @@ JSON - "Statement": [{ - "Action": ["s3:*"], + "Statement": [ + { + "Action": [ + "s3:*" + ], @@ -242,2 +245,5 @@ JSON - }, { - "Action": ["kms:*"], + }, + { + "Action": [ + "kms:*" + ], @@ -245 +251 @@ JSON - "NotResource": "arn:aws:kms:${region}:${account}:key/${keyid}", + "NotResource": "arn:aws:kms:us-east-1:${account}:key/${keyid}", @@ -247,2 +253,6 @@ JSON - }, { - "Action": ["s3:ListMultipartUploadParts", "s3:GetObject"], + }, + { + "Action": [ + "s3:ListMultipartUploadParts", + "s3:GetObject" + ], @@ -260,2 +270,6 @@ JSON - }, { - "Action": ["s3:PutObject", "s3:AbortMultipartUpload"], + }, + { + "Action": [ + "s3:PutObject", + "s3:AbortMultipartUpload" + ], @@ -273 +287,2 @@ JSON - }, { + }, + { @@ -283 +298,4 @@ JSON - "s3:prefix": ["${identitystore:UserId}", "${identitystore:UserId}/*"] + "s3:prefix": [ + "${identitystore:UserId}", + "${identitystore:UserId}/*" + ] @@ -289,2 +307,6 @@ JSON - }, { - "Action": ["kms:GenerateDataKey", "kms:Decrypt"], + }, + { + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], @@ -292 +314 @@ JSON - "Resource": "arn:aws:kms:${region}:${account}:key/${keyid}", + "Resource": "arn:aws:kms:us-east-1:${account}:key/${keyid}", @@ -294 +316,2 @@ JSON - }], + } + ],