AWS Security ChangesHomeSearch

AWS res documentation change

Service: res · 2025-08-13 · Documentation medium

File: res/latest/ug/res-ready-ami.md

Summary

Removed detailed IAM policy/role creation steps and added a note to use exact version numbers instead of 'latest' in download URIs

Security assessment

The change emphasizes specifying exact version numbers to avoid using potentially unstable 'latest' versions, which is a security best practice for version pinning. However, there's no direct evidence of addressing a specific security vulnerability.

Diff

diff --git a/res/latest/ug/res-ready-ami.md b/res/latest/ug/res-ready-ami.md
index c57b0ccd6..ee0d7a11e 100644
--- a//res/latest/ug/res-ready-ami.md
+++ b//res/latest/ug/res-ready-ami.md
@@ -45,87 +44,0 @@ To access the RES environment service from EC2 Image Builder, you must create or
-  1. Start by creating a new policy that will be attached to your role: **IAM** -> **Policies** -> **Create policy**
-
-  2. Select **JSON** from the policy editor.
-
-  3. Copy and paste the policy shown here into the editor, replacing your desired `{AWS-Region}`, `{AWS-Account-ID}`, and `{RES-EnvironmentName}` where applicable.
-
-**RES policy:**
-
-JSON
-    
-
-****
-    
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "RESDynamoDBAccess",
-                "Effect": "Allow",
-                "Action": "dynamodb:GetItem",
-                "Resource": "arn:aws:dynamodb:us-east-1:{AWS-Account-ID}:table/{RES-EnvironmentName}.cluster-settings",
-                "Condition": {
-                    "ForAllValues:StringLike": {
-                        "dynamodb:LeadingKeys": [
-                            "global-settings.gpu_settings.*",
-                            "global-settings.package_config.*",
-                            "cluster-manager.host_modules.*",
-                            "identity-provider.cognito.enable_native_user_login"
-                        ]
-                    }
-                }
-            },
-            {
-                "Sid": "RESS3Access",
-                "Effect": "Allow",
-                "Action": "s3:GetObject",
-                "Resource": [
-                    "arn:aws:s3:::{RES-EnvironmentName}-cluster-{AWS-Region}-{AWS-Account-ID}/idea/vdc/res-ready-install-script-packages/*",
-                    "arn:aws:s3:::research-engineering-studio-{AWS-Region}/host_modules/*"
-                ]
-            }
-        ]
-    }
-    
-
-  4. Choose **Next** and provide a name and optional description to complete the policy creation. 
-
-  5. To create the role, start by going to **IAM** -> **Roles** -> **Create role**.
-
-  6. Under **Trusted Entity Type** , select **"AWS service"**.
-
-  7. Select **EC2** in the **Service or use case** drop down.
-
-  8. In the **Use case** section, select **EC2** , then choose **Next**.
-
-  9. Search for and then select the name of the policy you previously created.
-
-  10. Choose **Next** and provide a name and optional description to complete the role creation.
-
-  11. Select your new role and verify that the Trust relationship matches the following:
-
-**Trusted relationship entity:**
-
-JSON
-    
-
-****
-    
-    
-        {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Principal": {
-                    "Service": "ec2.amazonaws.com"
-                },
-                "Action": "sts:AssumeRole"
-            }
-        ]
-    }
-    
-
-
-
-
@@ -147,0 +61,4 @@ Follow the directions to [Create a component using the Image Builder console](ht
+###### Important
+
+In the definition file, replace `latest` in the download URI (`- source: 's3://research-engineering-studio-us-east-1/releases/`latest`/res-installation-scripts.tar.gz'`) with with the exact version number (for example, `2025.06`) if your RES environment version is not the latest.
+