AWS Security ChangesHomeSearch

AWS managedservices medium security documentation change

Service: managedservices · 2025-08-28 · Security-related medium

File: managedservices/latest/onboardingguide/defaults-user-role.md

Summary

Removed multiple JSON policy examples including core account access, full access permissions, audit policies, and IAM read-only policies from documentation

Security assessment

The removal of the 'AWSManagedServicesFullAccess' policy (which granted wildcard permissions to amscm/amsskms) and IAM policy deny statements for 'mc-*' roles reduces documentation examples that could lead to overprivileged accounts if followed. This change mitigates potential security risks from overly permissive policies.

Diff

diff --git a/managedservices/latest/onboardingguide/defaults-user-role.md b/managedservices/latest/onboardingguide/defaults-user-role.md
index a64fed989..6b49cfc93 100644
--- a//managedservices/latest/onboardingguide/defaults-user-role.md
+++ b//managedservices/latest/onboardingguide/defaults-user-role.md
@@ -231,36 +230,0 @@ Permissions to see all AMS change types, and the history of requested change typ
-JSON
-    
-
-****
-    
-    
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [{
-    		"Sid": "AMSCoreAccountsCMAndSKMSReadOnlyAccess",
-    		"Effect": "Allow",
-    		"Action": [
-    			"amscm:GetChangeTypeVersion",
-    			"amscm:GetRfc",
-    			"amscm:ListChangeTypeCategories",
-    			"amscm:ListChangeTypeClassificationSummaries",
-    			"amscm:ListChangeTypeItems",
-    			"amscm:ListChangeTypeOperations",
-    			"amscm:ListChangeTypeSubcategories",
-    			"amscm:ListChangeTypeVersionSummaries",
-    			"amscm:ListRestrictedExecutionTimes",
-    			"amscm:ListRfcSummaries",
-    			"amsskms:GetStack",
-    			"amsskms:GetSubnet",
-    			"amsskms:GetVpc",
-    			"amsskms:ListAmis",
-    			"amsskms:ListStackSummaries",
-    			"amsskms:ListSubnetSummaries",
-    			"amsskms:ListVpcSummaries"
-    		],
-    		"Resource": "*"
-    	}]
-    }
-    
-
@@ -273,29 +236,0 @@ Permissions to request the Deployment | Managed landing zone | Management accoun
-JSON
-    
-
-****
-    
-    
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [{
-    		"Sid": "AMSMasterAccountAccess",
-    		"Effect": "Allow",
-    		"Action": [
-    			"amscm:ApproveRfc",
-    			"amscm:CancelRfc",
-    			"amscm:CreateRfc",
-    			"amscm:RejectRfc",
-    			"amscm:SubmitRfc",
-    			"amscm:UpdateRfc",
-    			"amscm:UpdateRfcActionState",
-    			"amscm:UpdateRestrictedExecutionTimes"
-    		],
-    		"Resource": [
-    			"arn:aws:amscm:global:*:changetype/ct-1zdasmc2ewzrs:*"
-    		]
-    	}]
-    }
-    
-
@@ -308,29 +242,0 @@ Permissions to request the Deployment | Managed landing zone | Networking accoun
-JSON
-    
-
-****
-    
-    
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [{
-    		"Sid": "AMSNetworkingAccountAccess",
-    		"Effect": "Allow",
-    		"Action": [
-    			"amscm:ApproveRfc",
-    			"amscm:CancelRfc",
-    			"amscm:CreateRfc",
-    			"amscm:RejectRfc",
-    			"amscm:SubmitRfc",
-    			"amscm:UpdateRfc",
-    			"amscm:UpdateRfcActionState",
-    			"amscm:UpdateRestrictedExecutionTimes"
-    		],
-    		"Resource": [
-    			"arn:aws:amscm:global:*:changetype/ct-1urj94c3hdfu5:*"
-    		]
-    	}]
-    }
-    
-
@@ -343,30 +248,0 @@ Permissions to request the Management | Other | Other | Create, and Management |
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "AMSCoreAccountsAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "amscm:CancelRfc",
-                    "amscm:CreateRfc",
-                    "amscm:SubmitRfc",
-                    "amscm:UpdateRfc",
-                    "amscm:UpdateRfcActionState",
-                    "amscm:UpdateRestrictedExecutionTimes"
-                ],
-                "Resource": [
-                    "arn:aws:amscm:global:*:changetype/ct-1e1xtak34nx76:*",
-                    "arn:aws:amscm:global:*:changetype/ct-0xdawir96cy7k:*"
-                ]
-            }
-        ]
-    }
-    
-
@@ -425,23 +300,0 @@ Permissions to request and view all AMS change types, and the history of request
-JSON
-    
-
-****
-    
-    
-    
-    {
-    	"Version": "2012-10-17",
-    	"Statement": [{
-    		"Sid": "AMSFullAccess",
-    		"Effect": "Allow",
-    		"Action": [
-    			"amscm:*",
-    			"amsskms:*"
-    		],
-    		"Resource": [
-    			"*"
-    		]
-    	}]
-    }
-    
-
@@ -628,25 +480,0 @@ If you have an active AWS account, then you can use this link [ReadOnlyAccess](h
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "ReadOnlyActions",
-                "Effect": "Allow",
-                "Action": [
-                    "a4b:Get*",
-                    "a4b:List*",
-                    "a4b:Search*",
-                    "access-analyzer:GetAccessPreview",
-                    "access-analyzer:GetAnalyzedResource,"
-                ]
-            }
-        ]
-    }
-    
-
@@ -669,144 +496,0 @@ Managed Services Audit Policy:
-JSON
-    
-
-****
-    
-    
-    
-    {"Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "BasicConsoleAccess",
-          "Effect": "Allow",
-          "Action": [
-            "aws-portal:View*",
-            "ec2-reports:View*",
-            "support:*"
-          ],