AWS AWSEC2 medium security documentation change
Summary
Added multiple JSON code block markers and section dividers (****) throughout policy examples, and modified two Statement IDs (Sid) to remove spaces/hyphens in policy examples
Security assessment
The Sid changes correct invalid characters in policy statement IDs (from 'DenySpotInstancesRequests - NOT SUPPORTED - DO NOT USE!' to valid format 'DenySpotInstancesRequestsNOTSUPPORTEDDONOTUSE'). AWS IAM requires SIDs to be alphanumeric - using invalid formats could lead to policy enforcement failures. This prevents misconfigurations that might inadvertently allow unauthorized actions if policies fail to apply correctly.
Diff
diff --git a/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md b/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md index 4df0355db..f0784175b 100644 --- a//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md +++ b//AWSEC2/latest/UserGuide/ExamplePolicies_EC2.md @@ -51,0 +52,6 @@ Users don't have permission to perform any actions on the resources (unless anot +JSON + + +**** + + @@ -67,0 +75,6 @@ The following policy denies users permission to use all Amazon EC2 API actions u +JSON + + +**** + + @@ -86,0 +101,6 @@ Alternatively, you can use the condition key `ec2:Region`, which is specific to +JSON + + +**** + + @@ -120,0 +142,6 @@ The users don't have permission to use any other API actions (unless another sta +JSON + + +**** + + @@ -152,0 +181,6 @@ The third statement allows users to terminate all instances in the `us-east-1` R +JSON + + +**** + + @@ -219,0 +255,6 @@ The following policy allows users to launch instances using only the specified A +JSON + + +**** + + @@ -242,0 +285,6 @@ Alternatively, the following policy allows users to launch instances from all AM +JSON + + +**** + + @@ -277,0 +327,6 @@ The following policy allows users to launch instances using only the `t2.micro` +JSON + + +**** + + @@ -310,0 +367,6 @@ Alternatively, you can create a policy that denies users permissions to launch a +JSON + + +**** + + @@ -346,0 +410,6 @@ The following policy allows users to launch instances using only the specified s +JSON + + +**** + + @@ -368,0 +439,6 @@ Alternatively, you could create a policy that denies users permissions to launch +JSON + + +**** + + @@ -404,0 +482,6 @@ The following policy allows users to launch instances only if the EBS volumes fo +JSON + + +**** + + @@ -443,0 +528,6 @@ For more information, see [Grant permission to tag Amazon EC2 resources during c +JSON + + +**** + + @@ -473,0 +565,6 @@ The following policy includes the `aws:RequestTag` condition key that requires u +JSON + + +**** + + @@ -525,0 +624,6 @@ The following policy uses the `ForAnyValue` modifier on the `aws:TagKeys` condit +JSON + + +**** + + @@ -576,0 +682,6 @@ In the following policy, users do not have to specify tags in the request, but i +JSON + + +**** + + @@ -608,0 +721,6 @@ To disallow anyone called tag on create for RunInstances +JSON + + +**** + + @@ -639,0 +759,6 @@ Only allow specific tags for spot-instances-request. Surprise inconsistency numb +JSON + + +**** + + @@ -676,0 +803,6 @@ In the following example, users can launch instances, but only if they use a spe +JSON + + +**** + + @@ -714,0 +848,6 @@ The `ec2:ElasticGpuType` condition key ensures that instances use either the `eg +JSON + + +**** + + @@ -756,0 +897,6 @@ In the following example, users can launch instances, but only if they use a spe +JSON + + +**** + + @@ -775,0 +923,6 @@ In this example, users can launch instances only if they use a launch template. +JSON + + +**** + + @@ -797,0 +952,6 @@ The following example policy allows user to launch instances, but only if they u +JSON + + +**** + + @@ -831,0 +993,6 @@ The following example allows users to launch instances only if they use a launch +JSON + + +**** + + @@ -895,0 +1064,6 @@ To use RunInstances to create Spot Instance requests, you can omit `spot-instanc +JSON + + +**** + + @@ -927,0 +1103,6 @@ The following policy is meant to give users the permission to launch On-Demand I +JSON + + +**** + + @@ -949 +1130 @@ The following policy is meant to give users the permission to launch On-Demand I - "Sid": "DenySpotInstancesRequests - NOT SUPPORTED - DO NOT USE!", + "Sid": "DenySpotInstancesRequestsNOTSUPPORTEDDONOTUSE", @@ -964,0 +1147,6 @@ If you tag a Spot Instance request on create, Amazon EC2 evaluates the `spot-ins +JSON + + +**** + + @@ -1000,0 +1190,6 @@ The first statement allows RunInstances to create the listed resources. The `spo +JSON + +