AWS documentdb documentation change
Summary
Removed a detailed IAM policy example for DocumentDB CloudFormation quick start
Security assessment
The removed content was a sample IAM policy showing required permissions. While IAM policies relate to security, the removal does not indicate a specific security issue being addressed. This appears to be routine documentation cleanup rather than addressing a vulnerability.
Diff
diff --git a/documentdb/latest/developerguide/quick_start_cfn.md b/documentdb/latest/developerguide/quick_start_cfn.md index e8c728e61..51b5498b8 100644 --- a//documentdb/latest/developerguide/quick_start_cfn.md +++ b//documentdb/latest/developerguide/quick_start_cfn.md @@ -64,117 +63,0 @@ In the following examples, replace each `user input placeholder` with your resou -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DocDBPermissions", - "Effect": "Allow", - "Action": [ - "rds:CreateDBCluster", - "rds:DeleteDBCluster", - "rds:ModifyDBCluster", - "rds:DescribeDBClusters", - "rds:CreateDBInstance", - "rds:DeleteDBInstance", - "rds:ModifyDBInstance", - "rds:DescribeDBInstances", - "rds:CreateDBSubnetGroup", - "rds:DeleteDBSecurityGroup", - "rds:DescribeDBSubnetGroups" - ], - "Resource": [ - "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:cluster:*", - "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:db:*", - "arn:aws:rds:{AWS_REGION}:{AWS_ACCOUNT_ID}:subgrp:*" - ] - }, - { - "Sid": "EC2NetworkingPermissions", - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup", - "ec2:DeleteSecurityGroup", - "ec2:DescribeSecurityGroups", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets" - ], - "Resource": [ - "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:security-group/*", - "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:vpc/*", - "arn:aws:ec2:{AWS_REGION}:{AWS_ACCOUNT_ID}:subnet/*" - ] - }, - { - "Sid": "EC2DescribePermissions", - "Effect": "Allow", - "Action": [ - "ec2:DescribeAvailabilityZones" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchLogsPermissions", - "Effect": "Allow", - "Action": [ - "cloudwatch:PutMetricData", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogStreams" - ], - "Resource": [ - "arn:aws:logs:us-east-1:{AWS_ACCOUNT_ID}:log-group:/aws/docdb/*", - "arn:aws:logs:us-east-1:{AWS_ACCOUNT_ID}:log-group:/aws/docdb/*:log-stream:*" - ] - }, - { - "Sid": "KMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:CreateKey", - "kms:DescribeKey", - "kms:EnableKey", - "kms:ListKeys", - "kms:PutKeyPolicy" - ], - "Resource": "arn:aws:kms:us-east-1:{AWS_ACCOUNT_ID}:key/*" - }, - { - "Sid": "KMSEncryption", - "Effect": "Allow", - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "arn:aws:kms:us-east-1:{AWS_ACCOUNT_ID}:key/*", - "Condition": { - "StringEquals": { - "kms:ViaService": [ - "rds.us-east-1.amazonaws.com" - ] - } - } - }, - { - "Sid": "IAMServiceLinkedRole", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::111122223333:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "rds.amazonaws.com" - } - } - } - ] - } - -