AWS Security ChangesHomeSearch

AWS AWSEC2 medium security documentation change

Service: AWSEC2 · 2025-08-16 · Security-related medium

File: AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md

Summary

Added multiple JSON code block markers and section dividers (****) throughout policy examples, and modified two Statement IDs (Sid) to remove spaces/hyphens in policy examples

Security assessment

The Sid changes correct invalid characters in policy statement IDs (from 'DenySpotInstancesRequests - NOT SUPPORTED - DO NOT USE!' to valid format 'DenySpotInstancesRequestsNOTSUPPORTEDDONOTUSE'). AWS IAM requires SIDs to be alphanumeric - using invalid formats could lead to policy enforcement failures. This prevents misconfigurations that might inadvertently allow unauthorized actions if policies fail to apply correctly.

Diff

diff --git a/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md b/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md
index 4df0355db..f0784175b 100644
--- a//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md
+++ b//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md
@@ -51,0 +52,6 @@ Users don't have permission to perform any actions on the resources (unless anot
+JSON
+    
+
+****
+    
+    
@@ -67,0 +75,6 @@ The following policy denies users permission to use all Amazon EC2 API actions u
+JSON
+    
+
+****
+    
+    
@@ -86,0 +101,6 @@ Alternatively, you can use the condition key `ec2:Region`, which is specific to
+JSON
+    
+
+****
+    
+    
@@ -120,0 +142,6 @@ The users don't have permission to use any other API actions (unless another sta
+JSON
+    
+
+****
+    
+    
@@ -152,0 +181,6 @@ The third statement allows users to terminate all instances in the `us-east-1` R
+JSON
+    
+
+****
+    
+    
@@ -219,0 +255,6 @@ The following policy allows users to launch instances using only the specified A
+JSON
+    
+
+****
+    
+    
@@ -242,0 +285,6 @@ Alternatively, the following policy allows users to launch instances from all AM
+JSON
+    
+
+****
+    
+    
@@ -277,0 +327,6 @@ The following policy allows users to launch instances using only the `t2.micro`
+JSON
+    
+
+****
+    
+    
@@ -310,0 +367,6 @@ Alternatively, you can create a policy that denies users permissions to launch a
+JSON
+    
+
+****
+    
+    
@@ -346,0 +410,6 @@ The following policy allows users to launch instances using only the specified s
+JSON
+    
+
+****
+    
+    
@@ -368,0 +439,6 @@ Alternatively, you could create a policy that denies users permissions to launch
+JSON
+    
+
+****
+    
+    
@@ -404,0 +482,6 @@ The following policy allows users to launch instances only if the EBS volumes fo
+JSON
+    
+
+****
+    
+    
@@ -443,0 +528,6 @@ For more information, see [Grant permission to tag Amazon EC2 resources during c
+JSON
+    
+
+****
+    
+    
@@ -473,0 +565,6 @@ The following policy includes the `aws:RequestTag` condition key that requires u
+JSON
+    
+
+****
+    
+    
@@ -525,0 +624,6 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit
+JSON
+    
+
+****
+    
+    
@@ -576,0 +682,6 @@ In the following policy, users do not have to specify tags in the request, but i
+JSON
+    
+
+****
+    
+    
@@ -608,0 +721,6 @@ To disallow anyone called tag on create for RunInstances
+JSON
+    
+
+****
+    
+    
@@ -639,0 +759,6 @@ Only allow specific tags for spot-instances-request. Surprise inconsistency numb
+JSON
+    
+
+****
+    
+    
@@ -676,0 +803,6 @@ In the following example, users can launch instances, but only if they use a spe
+JSON
+    
+
+****
+    
+    
@@ -714,0 +848,6 @@ The `ec2:ElasticGpuType` condition key ensures that instances use either the `eg
+JSON
+    
+
+****
+    
+    
@@ -756,0 +897,6 @@ In the following example, users can launch instances, but only if they use a spe
+JSON
+    
+
+****
+    
+    
@@ -775,0 +923,6 @@ In this example, users can launch instances only if they use a launch template.
+JSON
+    
+
+****
+    
+    
@@ -797,0 +952,6 @@ The following example policy allows user to launch instances, but only if they u
+JSON
+    
+
+****
+    
+    
@@ -831,0 +993,6 @@ The following example allows users to launch instances only if they use a launch
+JSON
+    
+
+****
+    
+    
@@ -895,0 +1064,6 @@ To use RunInstances to create Spot Instance requests, you can omit `spot-instanc
+JSON
+    
+
+****
+    
+    
@@ -927,0 +1103,6 @@ The following policy is meant to give users the permission to launch On-Demand I
+JSON
+    
+
+****
+    
+    
@@ -949 +1130 @@ The following policy is meant to give users the permission to launch On-Demand I
-                "Sid": "DenySpotInstancesRequests - NOT SUPPORTED - DO NOT USE!",
+                "Sid": "DenySpotInstancesRequestsNOTSUPPORTEDDONOTUSE",
@@ -964,0 +1147,6 @@ If you tag a Spot Instance request on create, Amazon EC2 evaluates the `spot-ins
+JSON
+    
+
+****
+    
+    
@@ -1000,0 +1190,6 @@ The first statement allows RunInstances to create the listed resources. The `spo
+JSON
+    
+