AWS Security ChangesHomeSearch

AWS managedservices medium security documentation change

Service: managedservices · 2025-07-25 · Security-related medium

File: managedservices/latest/userguide/ams-sec-stand-controls.md

Summary

Updated IAM standard 3.2 to remove tagging from infrastructure-mutating permissions requiring risk acceptance, while explicitly allowing tagging operations on non-AMS related tags

Security assessment

The change modifies security controls by narrowing permissions requiring approval (removing tagging from restricted actions) while creating exceptions for non-AMS tags. This directly impacts access control policies and could affect privilege escalation risks.

Diff

diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md
index 6e7570b9a..d639c9cf8 100644
--- a//managedservices/latest/userguide/ams-sec-stand-controls.md
+++ b//managedservices/latest/userguide/ams-sec-stand-controls.md
@@ -125 +125 @@ ID | Technical standard
-3.2 | IAM users and roles for console and programmatic access with any infrastructure-mutating permissions (write, permission management, or tagging) in the customer account must not be created without risk acceptance. However, S3 object-level write permissions are allowed without risk acceptance as long as the specific buckets are in the scope.  
+3.2 | IAM users and roles for console and programmatic access with any infrastructure-mutating permissions (write and permission management) in the customer account must not be created without risk acceptance. Exceptions exist for S3 object-level write permissions which are allowed without risk acceptance as long as the specific buckets are in the scope and tagging operations on non-AMS related tags.