AWS transform medium security documentation change
Summary
Simplified IAM policy structure and removed multiple permissions related to SSO, directory services, and identity management
Security assessment
The removed permissions (e.g., sso:CreateApplicationAssignment, sso-directory:CreateUser) reduce excessive access, which minimizes potential privilege escalation risks. This directly addresses security by enforcing least privilege.
Diff
diff --git a/transform/latest/userguide/security_iam_id-based-policy-examples.md b/transform/latest/userguide/security_iam_id-based-policy-examples.md index bff4954d1..e4648e53e 100644 --- a//transform/latest/userguide/security_iam_id-based-policy-examples.md +++ b//transform/latest/userguide/security_iam_id-based-policy-examples.md @@ -155,66 +155 @@ JSON - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "transform:ListProfiles" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "organizations:ListAWSServiceAccessForOrganization", - "organizations:DescribeOrganization" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sso:ListApplications", - "sso:ListInstances", - "sso:DescribeRegisteredRegions", - "sso:GetSharedSsoConfiguration", - "sso:DescribeInstance", - "sso:DescribeApplication", - "sso:GetSSOStatus", - "sso:CreateApplicationAssignment", - "sso:DeleteApplicationAssignment", - "sso:ListApplicationAssignments" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sso-directory:CreateUser", - "sso-directory:DescribeUsers", - "sso-directory:DescribeGroups", - "sso-directory:SearchGroups", - "sso-directory:SearchUsers", - "sso-directory:DescribeGroup", - "sso-directory:DescribeUser", - "sso-directory:DescribeDirectory" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "identitystore:CreateUser", - "identitystore:ListUsers", - "identitystore:ListGroups" - ], - "Resource": [ - "*" - ] - }, - { + "Statement": [{ @@ -254,2 +188,0 @@ JSON - ] - }