AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2025-08-10 · Documentation medium

File: prescriptive-guidance/latest/least-privilege-cloudformation/sample-id-policies-for-cloudformation.md

Summary

Improved IAM policy formatting and added explicit PrincipalARN condition

Security assessment

Enhances documentation of least-privilege IAM policies by demonstrating proper policy structure and principal restrictions, which supports secure access control practices.

Diff

diff --git a/prescriptive-guidance/latest/least-privilege-cloudformation/sample-id-policies-for-cloudformation.md b/prescriptive-guidance/latest/least-privilege-cloudformation/sample-id-policies-for-cloudformation.md
index 409b65517..2a75899dc 100644
--- a//prescriptive-guidance/latest/least-privilege-cloudformation/sample-id-policies-for-cloudformation.md
+++ b//prescriptive-guidance/latest/least-privilege-cloudformation/sample-id-policies-for-cloudformation.md
@@ -31 +31,2 @@ View access is the least-privileged type of access to CloudFormation. This kind
-        "Statement":[{
+      "Statement": [
+        {
@@ -40 +40,0 @@ View access is the least-privileged type of access to CloudFormation. This kind
-        }]
@@ -41,0 +42,3 @@ View access is the least-privileged type of access to CloudFormation. This kind
+      ]
+    }
+    
@@ -57 +60,3 @@ Allow the IAM principal to have read-only access to this S3 bucket. This helps p
-          "Action" : [ "cloudformation:CreateStack"],
+          "Action": [
+            "cloudformation:CreateStack"
+          ],
@@ -75 +81,2 @@ To help protect specific CloudFormation stacks that provision business-critical
-        "Statement":[{
+      "Statement": [
+        {
@@ -82 +89,2 @@ To help protect specific CloudFormation stacks that provision business-critical
-        }]
+        }
+      ]
@@ -106 +115,2 @@ However, if you don't allow at least one IAM principal, a _privileged principal_
-        "Statement":[{
+      "Statement": [
+        {
@@ -115 +125,3 @@ However, if you don't allow at least one IAM principal, a _privileged principal_
-              		"aws:PrincipalARN" : [<ARN of the allowed privilege IAM principal>]
+              "aws:PrincipalARN": [
+                "<ARN of the allowed privilege IAM principal>"
+              ]
@@ -118 +130,2 @@ However, if you don't allow at least one IAM principal, a _privileged principal_
-        }]
+        }
+      ]