AWS res documentation change
Summary
Removed detailed IAM policy/role creation steps and added a note to use exact version numbers instead of 'latest' in download URIs
Security assessment
The change emphasizes specifying exact version numbers to avoid using potentially unstable 'latest' versions, which is a security best practice for version pinning. However, there's no direct evidence of addressing a specific security vulnerability.
Diff
diff --git a/res/latest/ug/res-ready-ami.md b/res/latest/ug/res-ready-ami.md index c57b0ccd6..ee0d7a11e 100644 --- a//res/latest/ug/res-ready-ami.md +++ b//res/latest/ug/res-ready-ami.md @@ -45,87 +44,0 @@ To access the RES environment service from EC2 Image Builder, you must create or - 1. Start by creating a new policy that will be attached to your role: **IAM** -> **Policies** -> **Create policy** - - 2. Select **JSON** from the policy editor. - - 3. Copy and paste the policy shown here into the editor, replacing your desired `{AWS-Region}`, `{AWS-Account-ID}`, and `{RES-EnvironmentName}` where applicable. - -**RES policy:** - -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "RESDynamoDBAccess", - "Effect": "Allow", - "Action": "dynamodb:GetItem", - "Resource": "arn:aws:dynamodb:us-east-1:{AWS-Account-ID}:table/{RES-EnvironmentName}.cluster-settings", - "Condition": { - "ForAllValues:StringLike": { - "dynamodb:LeadingKeys": [ - "global-settings.gpu_settings.*", - "global-settings.package_config.*", - "cluster-manager.host_modules.*", - "identity-provider.cognito.enable_native_user_login" - ] - } - } - }, - { - "Sid": "RESS3Access", - "Effect": "Allow", - "Action": "s3:GetObject", - "Resource": [ - "arn:aws:s3:::{RES-EnvironmentName}-cluster-{AWS-Region}-{AWS-Account-ID}/idea/vdc/res-ready-install-script-packages/*", - "arn:aws:s3:::research-engineering-studio-{AWS-Region}/host_modules/*" - ] - } - ] - } - - - 4. Choose **Next** and provide a name and optional description to complete the policy creation. - - 5. To create the role, start by going to **IAM** -> **Roles** -> **Create role**. - - 6. Under **Trusted Entity Type** , select **"AWS service"**. - - 7. Select **EC2** in the **Service or use case** drop down. - - 8. In the **Use case** section, select **EC2** , then choose **Next**. - - 9. Search for and then select the name of the policy you previously created. - - 10. Choose **Next** and provide a name and optional description to complete the role creation. - - 11. Select your new role and verify that the Trust relationship matches the following: - -**Trusted relationship entity:** - -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - - - - - @@ -147,0 +61,4 @@ Follow the directions to [Create a component using the Image Builder console](ht +###### Important + +In the definition file, replace `latest` in the download URI (`- source: 's3://research-engineering-studio-us-east-1/releases/`latest`/res-installation-scripts.tar.gz'`) with with the exact version number (for example, `2025.06`) if your RES environment version is not the latest. +