AWS guardduty documentation change
Summary
Removed detailed IAM policy configuration for GuardDuty malware protection service-linked role permissions
Security assessment
The change removes documentation of IAM policies but does not indicate a security vulnerability fix. This appears to be documentation cleanup rather than addressing a specific security issue. However, removing security-related IAM policy examples could indirectly impact users' ability to configure secure permissions if not properly replaced elsewhere.
Diff
diff --git a/guardduty/latest/ug/slr-permissions-malware-protection.md b/guardduty/latest/ug/slr-permissions-malware-protection.md index d24ee2fd9..f5c133100 100644 --- a//guardduty/latest/ug/slr-permissions-malware-protection.md +++ b//guardduty/latest/ug/slr-permissions-malware-protection.md @@ -244,179 +243,0 @@ JSON -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "DescribeAndListPermissions", - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ecs:ListClusters", - "ecs:ListContainerInstances", - "ecs:ListTasks", - "ecs:DescribeTasks", - "eks:DescribeCluster" - ], - "Resource": "*" - }, - { - "Sid": "CreateSnapshotVolumeConditionalStatement", - "Effect": "Allow", - "Action": "ec2:CreateSnapshot", - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "Null": { - "aws:ResourceTag/GuardDutyExcluded": "true" - } - } - }, - { - "Sid": "CreateSnapshotConditionalStatement", - "Effect": "Allow", - "Action": "ec2:CreateSnapshot", - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "ForAnyValue:StringEquals": { - "aws:TagKeys": "GuardDutyScanId" - } - } - }, - { - "Sid": "CreateTagsPermission", - "Effect": "Allow", - "Action": "ec2:CreateTags", - "Resource": "arn:aws:ec2:*:*:*/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSnapshot" - } - } - }, - { - "Sid": "AddTagsToSnapshotPermission", - "Effect": "Allow", - "Action": "ec2:CreateTags", - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/GuardDutyScanId": "*" - }, - "ForAllValues:StringEquals": { - "aws:TagKeys": [ - "GuardDutyExcluded", - "GuardDutyFindingDetected" - ] - } - } - }, - { - "Sid": "DeleteAndShareSnapshotPermission", - "Effect": "Allow", - "Action": [ - "ec2:DeleteSnapshot", - "ec2:ModifySnapshotAttribute" - ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/GuardDutyScanId": "*" - }, - "Null": { - "aws:ResourceTag/GuardDutyExcluded": "true" - } - } - }, - { - "Sid": "PreventPublicAccessToSnapshotPermission", - "Effect": "Deny", - "Action": [ - "ec2:ModifySnapshotAttribute" - ], - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringEquals": { - "ec2:Add/group": "all" - } - } - }, - { - "Sid": "CreateGrantPermission", - "Effect": "Allow", - "Action": "kms:CreateGrant", - "Resource": "arn:aws:kms:*:*:key/*", - "Condition": { - "Null": { - "aws:ResourceTag/GuardDutyExcluded": "true" - }, - "StringLike": { - "kms:EncryptionContext:aws:ebs:id": "snap-*" - }, - "ForAllValues:StringEquals": { - "kms:GrantOperations": [ - "Decrypt", - "CreateGrant", - "GenerateDataKeyWithoutPlaintext", - "ReEncryptFrom", - "ReEncryptTo", - "RetireGrant", - "DescribeKey" - ] - }, - "Bool": { - "kms:GrantIsForAWSResource": "true" - } - } - }, - { - "Sid": "ShareSnapshotKMSPermission", - "Effect": "Allow", - "Action": [ - "kms:ReEncryptTo", - "kms:ReEncryptFrom" - ], - "Resource": "arn:aws:kms:*:*:key/*", - "Condition": { - "StringLike": { - "kms:ViaService": "ec2.*.amazonaws.com" - }, - "Null": { - "aws:ResourceTag/GuardDutyExcluded": "true" - } - } - }, - { - "Sid": "DescribeKeyPermission", - "Effect": "Allow", - "Action": "kms:DescribeKey", - "Resource": "arn:aws:kms:*:*:key/*" - }, - { - "Sid": "GuardDutyLogGroupPermission", - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:PutRetentionPolicy" - ], - "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*" - }, - { - "Sid": "GuardDutyLogStreamPermission", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogStreams" - ], - "Resource": "arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" - } - ] - } - -