AWS dms documentation change
Summary
Removed two JSON policy examples - one comprehensive DMS policy and one tag-based conditional access policy
Security assessment
While the examples demonstrated permission management patterns, their removal doesn't directly indicate addressing a security vulnerability. The tag-based conditional policy showed access control patterns but wasn't explicitly security-focused.
Diff
diff --git a/dms/latest/userguide/security_iam_id-based-policy-examples.md b/dms/latest/userguide/security_iam_id-based-policy-examples.md index 98a3d8a5e..fa938e8c4 100644 --- a//dms/latest/userguide/security_iam_id-based-policy-examples.md +++ b//dms/latest/userguide/security_iam_id-based-policy-examples.md @@ -51,71 +50,0 @@ The following policy gives you access to AWS DMS, including the AWS DMS console, -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "dms:*", - "Resource": "arn:aws:dms:region:account:resourcetype/id" - }, - { - "Effect": "Allow", - "Action": [ - "kms:ListAliases", - "kms:DescribeKey" - ], - "Resource": "arn:aws:service:region:account:resourcetype/id" - }, - { - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:PassRole", - "iam:CreateRole", - "iam:AttachRolePolicy" - ], - "Resource": "arn:aws:service:region:account:resourcetype/id" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeVpcs", - "ec2:DescribeInternetGateways", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface" - ], - "Resource": "arn:aws:service:region:account:resourcetype/id" - }, - { - "Effect": "Allow", - "Action": [ - "cloudwatch:Get*", - "cloudwatch:List*" - ], - "Resource": "arn:aws:service:region:account:resourcetype/id" - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups", - "logs:DescribeLogStreams", - "logs:FilterLogEvents", - "logs:GetLogEvents" - ], - "Resource": "arn:aws:service:region:account:resourcetype/id" - } - ] - } - - - - @@ -286,22 +214,0 @@ You can use conditions in your identity-based policy to control access to AWS DM -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ":*", - "Resource": "arn:aws::*:*:endpoint/*", - "Condition": { - "StringEquals": {":endpoint-tag/Owner": "${aws:username}"} - } - } - ] - } - -