AWS aurora-dsql medium security documentation change
Summary
Rewrote IAM policy example to use specific dsql:CreateCluster actions with regional resource ARNs instead of service-linked role creation
Security assessment
Changes implement least-privilege principles by narrowing permissions from broad iam:CreateServiceLinkedRole to specific cluster creation actions with regional restrictions
Diff
diff --git a/aurora-dsql/latest/userguide/working-with-service-linked-roles.md b/aurora-dsql/latest/userguide/working-with-service-linked-roles.md index 18385ae5f..343334135 100644 --- a//aurora-dsql/latest/userguide/working-with-service-linked-roles.md +++ b//aurora-dsql/latest/userguide/working-with-service-linked-roles.md @@ -24,0 +25,6 @@ You must configure permissions to allow an IAM entity (such as a user, group, or +JSON + + +**** + + @@ -27,8 +33,9 @@ You must configure permissions to allow an IAM entity (such as a user, group, or - "Sid" : "CreateDsqlServiceLinkedRole", - "Effect" : "Allow", - "Action" : "iam:CreateServiceLinkedRole", - "Resource" : "*", - "Condition" : { - "StringEquals" : { - "iam:AWSServiceName" : "dsql.amazonaws.com" - } + "Version": "2012-10-17", + "Statement": [ + { + "Action": ["dsql:CreateCluster"], + "Resource": [ + "arn:aws:dsql:us-east-1:*:cluster/*", + "arn:aws:dsql:us-east-2:*:cluster/*" + ], + "Effect": "Allow" @@ -35,0 +43 @@ You must configure permissions to allow an IAM entity (such as a user, group, or + ]