AWS firehose documentation change
Summary
Updated example ARNs with specific values. Incorrectly modified KMS ViaService to a key ARN instead of service endpoint and adjusted encryption context formatting.
Security assessment
The KMS ViaService change introduces an invalid value (key ARN instead of service principal), which could lead to policy misconfiguration. However, this is a documentation error rather than a security fix.
Diff
diff --git a/firehose/latest/dev/database-as-source-grant-access.md b/firehose/latest/dev/database-as-source-grant-access.md index 40725ec08..370b9cb2d 100644 --- a//firehose/latest/dev/database-as-source-grant-access.md +++ b//firehose/latest/dev/database-as-source-grant-access.md @@ -39,3 +39,3 @@ JSON - "arn:aws:glue:<region>:<aws-account-id>:catalog", - "arn:aws:glue:<region>:<aws-account-id>:database/*", - "arn:aws:glue:<region>:<aws-account-id>:table/*/*" + "arn:aws:glue:us-east-1:111122223333:catalog", + "arn:aws:glue:us-east-1:111122223333:database/*", + "arn:aws:glue:us-east-1:111122223333:table/*/*" @@ -56,2 +56,2 @@ JSON - "arn:aws:s3:::amzn-s3-demo-bucket", - "arn:aws:s3:::amzn-s3-demo-bucket/*" + "arn:aws::s3:::amzn-s3-demo-bucket", + "arn:aws::s3:::amzn-s3-demo-bucket/*" @@ -67 +67 @@ JSON - "arn:aws:kms:<region>:<aws-account-id>:key/<key-id>" + "arn:aws::kms:us-east-1:123456789012:key/<key-id>" @@ -71 +71 @@ JSON - "kms:ViaService": "s3.region.amazonaws.com" + "kms:ViaService": "arn:aws::kms:us-east-1:123456789012:key/s3" @@ -74 +74 @@ JSON - "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket/prefix*" + "kms:EncryptionContext:aws:s3:arn": "arn:aws::s3:::amzn-s3-demo-bucket/prefix*" @@ -84 +84 @@ JSON - "arn:aws:logs:<region>:<aws-account-id>:log-group:<log-group-name>:log-stream:<log-stream-name>" + "arn:aws::logs:"us-east-1:111122223333:log-group:log-group-name>:log-stream:log-stream-name>" @@ -90 +90 @@ JSON - "Resource": "<Secret ARN>" + "Resource": "arn:aws::secretsmanager:us-east-1:123456789012:secret:mySecret-abc123>"