AWS kendra medium security documentation change
Summary
Removed multiple detailed IAM policy JSON examples across various data source configurations and restructured trust policy examples. Added explicit security warning about avoiding Kendra principals in S3 bucket policies.
Security assessment
The removal of IAM policy examples containing critical security conditions (e.g., aws:SourceAccount/aws:SourceArn) could lead to insecure configurations if users don't implement principal constraints. The added warning about avoiding Kendra principals in bucket policies directly addresses a security best practice to prevent accidental permission grants. The restructuring of trust policies appears to consolidate security-related configurations.
Diff
diff --git a/kendra/latest/dg/iam-roles.md b/kendra/latest/dg/iam-roles.md index 11db8aeb1..7d9e4863a 100644 --- a//kendra/latest/dg/iam-roles.md +++ b//kendra/latest/dg/iam-roles.md @@ -240,31 +239,0 @@ It is recommended that you include `aws:sourceAccount` and `aws:sourceArn` in th -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "kendra.amazonaws.com" - ] - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "123456789012" - }, - "StringLike": { - "aws:SourceArn": "arn:aws:kendra:your-region:123456789012:index/*" - } - } - } - ] - } - - @@ -511,60 +479,0 @@ You can connect an Aurora (MySQL) data source to Amazon Kendra through Amazon VP -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": [ - "arn:aws:secretsmanager:us-east-1:{111122223333}:secret:secret_id" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt" - ], - "Resource": [ - "arn:aws:kms:us-east-1:{111122223333}:key/key_id" - ], - "Condition": { - "StringLike": { - "kms:ViaService": [ - "secretsmanager.*.amazonaws.com" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kendra:PutPrincipalMapping", - "kendra:DeletePrincipalMapping", - "kendra:ListGroupsOlderThanOrderingId", - "kendra:DescribePrincipalMapping" - ], - "Resource": [ - "arn:aws:kendra:us-east-1:{111122223333}:index/index_id", - "arn:aws:kendra:us-east-1:{111122223333}:index/index_id/data-source/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kendra:BatchPutDocument", - "kendra:BatchDeleteDocument" - ], - "Resource": "arn:aws:kendra:us-east-1:{111122223333}:index/index_id" - } - ] - } - - @@ -609,60 +517,0 @@ You can connect an Aurora (PostgreSQL) data source to Amazon Kendra through Amaz -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": [ - "arn:aws:secretsmanager:us-east-1:{111122223333}:secret:secret_id" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt" - ], - "Resource": [ - "arn:aws:kms:us-east-1:{111122223333}:key/key_id" - ], - "Condition": { - "StringLike": { - "kms:ViaService": [ - "secretsmanager.*.amazonaws.com" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kendra:PutPrincipalMapping", - "kendra:DeletePrincipalMapping", - "kendra:ListGroupsOlderThanOrderingId", - "kendra:DescribePrincipalMapping" - ], - "Resource": [ - "arn:aws:kendra:us-east-1:{111122223333}:index/index_id", - "arn:aws:kendra:us-east-1:{111122223333}:index/index_id/data-source/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kendra:BatchPutDocument", - "kendra:BatchDeleteDocument" - ], - "Resource": "arn:aws:kendra:us-east-1:{111122223333}:index/index_id" - } - ] - } - - @@ -707,110 +555,0 @@ When you use Amazon FSx, you provide a role with the following policies. -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": [ - "arn:aws:secretsmanager:us-east-1:123456789012:secret:secret-id" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt" - ], - "Resource": [ - "arn:aws:kms:us-east-1:123456789012:key/key-id" - ], - "Condition": { - "StringLike": { - "kms:ViaService": [ - "secretsmanager.us-east-1.amazonaws.com" - ] - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface" - ],