AWS managedservices medium security documentation change
Summary
Updated IAM standard 3.2 to remove tagging from infrastructure-mutating permissions requiring risk acceptance, while explicitly allowing tagging operations on non-AMS related tags
Security assessment
The change modifies security controls by narrowing permissions requiring approval (removing tagging from restricted actions) while creating exceptions for non-AMS tags. This directly impacts access control policies and could affect privilege escalation risks.
Diff
diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md index 6e7570b9a..d639c9cf8 100644 --- a//managedservices/latest/userguide/ams-sec-stand-controls.md +++ b//managedservices/latest/userguide/ams-sec-stand-controls.md @@ -125 +125 @@ ID | Technical standard -3.2 | IAM users and roles for console and programmatic access with any infrastructure-mutating permissions (write, permission management, or tagging) in the customer account must not be created without risk acceptance. However, S3 object-level write permissions are allowed without risk acceptance as long as the specific buckets are in the scope. +3.2 | IAM users and roles for console and programmatic access with any infrastructure-mutating permissions (write and permission management) in the customer account must not be created without risk acceptance. Exceptions exist for S3 object-level write permissions which are allowed without risk acceptance as long as the specific buckets are in the scope and tagging operations on non-AMS related tags.