AWS ebs documentation change
Summary
Removed JSON policy examples for EBS direct API permissions and KMS operations
Security assessment
Removal of example IAM policies does not indicate a security fix but rather documentation cleanup. No evidence of addressing vulnerabilities.
Diff
diff --git a/ebs/latest/userguide/ebsapi-permissions.md b/ebs/latest/userguide/ebsapi-permissions.md index b901ecab9..393cd3ec4 100644 --- a//ebs/latest/userguide/ebsapi-permissions.md +++ b//ebs/latest/userguide/ebsapi-permissions.md @@ -17,25 +16,0 @@ The following policy allows the _read_ EBS direct APIs to be used on all snapsho -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowEBSDirectAPIReadOperations", - "Effect": "Allow", - "Action": [ - "ebs:ListSnapshotBlocks", - "ebs:ListChangedBlocks", - "ebs:GetSnapshotBlock" - ], - "Resource": "arn:aws:ec2:*::snapshot/*" - } - ] - } - - - @@ -109,25 +83,0 @@ The following policy allows the _write_ EBS direct APIs to be used on all snapsh -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowEBSDirectAPIOperations", - "Effect": "Allow", - "Action": [ - "ebs:StartSnapshot", - "ebs:PutSnapshotBlock", - "ebs:CompleteSnapshot" - ], - "Resource": "arn:aws:ec2:*::snapshot/*" - } - ] - } - - - @@ -266,35 +215,0 @@ To follow the principle of least privilege, do not allow full access to `kms:Cre -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowKMSOperationsForEBS", - "Effect": "Allow", - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ReEncrypt*", - "kms:CreateGrant", - "ec2:CreateTags", - "kms:DescribeKey" - ], - "Resource": "arn:aws:kms:*:<AccountId>:key/<KeyId>", - "Condition": { - "Bool": { - "kms:GrantIsForAWSResource": true - } - } - } - ] - } - - -