AWS opensearch-service medium security documentation change
Summary
Updated account IDs, regions, and resource ARNs in multiple IAM policy examples
Security assessment
Changed EC2 resource ARNs from account-specific to wildcarded format (*:ec2:*::resource), potentially introducing over-permissive policies in examples. This could lead to security misconfigurations if followed literally.
Diff
diff --git a/opensearch-service/latest/developerguide/configure-client-confluent-kafka.md b/opensearch-service/latest/developerguide/configure-client-confluent-kafka.md index 0efd6764f..6bba69321 100644 --- a//opensearch-service/latest/developerguide/configure-client-confluent-kafka.md +++ b//opensearch-service/latest/developerguide/configure-client-confluent-kafka.md @@ -41 +41 @@ JSON - "AWS": "arn:aws:iam::pipeline-account-id:role/pipeline-role" + "AWS": "arn:aws:iam::444455556666:role/pipeline-role" @@ -48 +48 @@ JSON - "arn:aws:es:region:account-id:domain/domain-name" + "arn:aws:es:us-east-1:111122223333:domain/domain-name" @@ -88,3 +88,3 @@ JSON - "arn:aws:ec2:*:account-id:network-interface/*", - "arn:aws:ec2:*:account-id:subnet/*", - "arn:aws:ec2:*:account-id:security-group/*" + "arn:aws:ec2:*::network-interface/*", + "arn:aws:ec2:*::subnet/*", + "arn:aws:ec2:*::security-group/*" @@ -133 +133 @@ JSON - "Resource": ["arn:aws:secretsmanager:region:account-id:secret:,secret-name"] + "Resource": ["arn:aws:secretsmanager:us-east-1:111122223333:secret:,secret-name"] @@ -264 +264 @@ JSON - "AWS": "arn:aws:iam::pipeline-account-id:role/pipeline-role" + "AWS": "arn:aws:iam::444455556666:role/pipeline-role" @@ -271 +271 @@ JSON - "arn:aws:es:region:account-id:domain/domain-name" + "arn:aws:es:us-east-1:111122223333:domain/domain-name" @@ -303 +303 @@ JSON - "Resource": ["arn:aws:secretsmanager:region:account-id:secret:secret-name"] + "Resource": ["arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name"] @@ -317,3 +317,3 @@ JSON - "arn:aws:ec2:*:account-id:network-interface/*", - "arn:aws:ec2:*:account-id:subnet/*", - "arn:aws:ec2:*:account-id:security-group/*" + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:security-group/*"