AWS managedservices medium security documentation change
Summary
Modified IAM control 3.2 to allow tagging operations on non-AMS related tags without risk acceptance, while tightening restrictions on other mutative permissions.
Security assessment
The change refines IAM security controls by explicitly allowing certain tagging operations while maintaining restrictions on other permissions. This addresses a potential privilege escalation vector where unauthorized tagging of AMS-related resources could occur.
Diff
diff --git a/managedservices/latest/accelerate-guide/acc-sec-stand-controls.md b/managedservices/latest/accelerate-guide/acc-sec-stand-controls.md index 6e6a3d64d..abea1dcf7 100644 --- a//managedservices/latest/accelerate-guide/acc-sec-stand-controls.md +++ b//managedservices/latest/accelerate-guide/acc-sec-stand-controls.md @@ -20 +20 @@ ID | Technical standard -3.2 | IAM users and roles for console and programmatic access with any infrastructure-mutating permissions (write, permission management, or tagging) in the customer account must not be created without risk acceptance. However, S3 object-level write permissions are allowed without risk acceptance as long as the specific buckets are in the scope. +3.2 | IAM users and roles for console and programmatic access with any infrastructure-mutating permissions (write and permission management) in the customer account must not be created without risk acceptance. Exceptions exist for S3 object-level write permissions which are allowed without risk acceptance as long as the specific buckets are in the scope and tagging operations on non-AMS related tags.