AWS guardduty documentation change
Summary
Removed multiple IAM policy examples for GuardDuty service-linked roles including malware protection permissions
Security assessment
This removes redundant IAM policy documentation but does not directly address security vulnerabilities. The deletion of security configuration examples could lead to misconfigurations if users rely on outdated documentation, but there's no evidence of an active security issue being patched.
Diff
diff --git a/guardduty/latest/ug/slr-permissions.md b/guardduty/latest/ug/slr-permissions.md index cb6d5183b..f181cb637 100644 --- a//guardduty/latest/ug/slr-permissions.md +++ b//guardduty/latest/ug/slr-permissions.md @@ -302,146 +301,0 @@ JSON -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeSubnets", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeTransitGatewayAttachments", - "organizations:ListAccounts", - "organizations:DescribeAccount", - "s3:GetBucketPublicAccessBlock", - "s3:GetEncryptionConfiguration", - "s3:GetBucketTagging", - "s3:GetAccountPublicAccessBlock", - "s3:ListAllMyBuckets", - "s3:GetBucketAcl", - "s3:GetBucketPolicy", - "s3:GetBucketPolicyStatus", - "lambda:GetFunctionConfiguration", - "lambda:ListTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" - } - } - } - ] - } - - -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeSubnets", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeTransitGatewayAttachments", - "organizations:ListAccounts", - "organizations:DescribeAccount", - "s3:GetBucketPublicAccessBlock", - "s3:GetEncryptionConfiguration", - "s3:GetBucketTagging", - "s3:GetAccountPublicAccessBlock", - "s3:ListAllMyBuckets", - "s3:GetBucketAcl", - "s3:GetBucketPolicy", - "s3:GetBucketPolicyStatus", - "lambda:GetFunctionConfiguration", - "lambda:ListTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" - } - } - } - ] - } - - -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "GuardDutyGetDescribeListPolicy", - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeSubnets", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeTransitGatewayAttachments", - "organizations:ListAccounts", - "organizations:DescribeAccount", - "s3:GetBucketPublicAccessBlock", - "s3:GetEncryptionConfiguration", - "s3:GetBucketTagging", - "s3:GetAccountPublicAccessBlock", - "s3:ListAllMyBuckets", - "s3:GetBucketAcl", - "s3:GetBucketPolicy", - "s3:GetBucketPolicyStatus", - "lambda:GetFunctionConfiguration", - "lambda:ListTags" - ], - "Resource": "*" - }, - { - "Sid": "GuardDutyCreateSLRPolicy", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "malware-protection.guardduty.amazonaws.com" - } - } - } - ] - } - -