AWS managedservices medium security documentation change
Summary
Removed multiple JSON policy examples including core account access, full access permissions, audit policies, and IAM read-only policies from documentation
Security assessment
The removal of the 'AWSManagedServicesFullAccess' policy (which granted wildcard permissions to amscm/amsskms) and IAM policy deny statements for 'mc-*' roles reduces documentation examples that could lead to overprivileged accounts if followed. This change mitigates potential security risks from overly permissive policies.
Diff
diff --git a/managedservices/latest/onboardingguide/defaults-user-role.md b/managedservices/latest/onboardingguide/defaults-user-role.md index a64fed989..6b49cfc93 100644 --- a//managedservices/latest/onboardingguide/defaults-user-role.md +++ b//managedservices/latest/onboardingguide/defaults-user-role.md @@ -231,36 +230,0 @@ Permissions to see all AMS change types, and the history of requested change typ -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSCoreAccountsCMAndSKMSReadOnlyAccess", - "Effect": "Allow", - "Action": [ - "amscm:GetChangeTypeVersion", - "amscm:GetRfc", - "amscm:ListChangeTypeCategories", - "amscm:ListChangeTypeClassificationSummaries", - "amscm:ListChangeTypeItems", - "amscm:ListChangeTypeOperations", - "amscm:ListChangeTypeSubcategories", - "amscm:ListChangeTypeVersionSummaries", - "amscm:ListRestrictedExecutionTimes", - "amscm:ListRfcSummaries", - "amsskms:GetStack", - "amsskms:GetSubnet", - "amsskms:GetVpc", - "amsskms:ListAmis", - "amsskms:ListStackSummaries", - "amsskms:ListSubnetSummaries", - "amsskms:ListVpcSummaries" - ], - "Resource": "*" - }] - } - - @@ -273,29 +236,0 @@ Permissions to request the Deployment | Managed landing zone | Management accoun -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSMasterAccountAccess", - "Effect": "Allow", - "Action": [ - "amscm:ApproveRfc", - "amscm:CancelRfc", - "amscm:CreateRfc", - "amscm:RejectRfc", - "amscm:SubmitRfc", - "amscm:UpdateRfc", - "amscm:UpdateRfcActionState", - "amscm:UpdateRestrictedExecutionTimes" - ], - "Resource": [ - "arn:aws:amscm:global:*:changetype/ct-1zdasmc2ewzrs:*" - ] - }] - } - - @@ -308,29 +242,0 @@ Permissions to request the Deployment | Managed landing zone | Networking accoun -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSNetworkingAccountAccess", - "Effect": "Allow", - "Action": [ - "amscm:ApproveRfc", - "amscm:CancelRfc", - "amscm:CreateRfc", - "amscm:RejectRfc", - "amscm:SubmitRfc", - "amscm:UpdateRfc", - "amscm:UpdateRfcActionState", - "amscm:UpdateRestrictedExecutionTimes" - ], - "Resource": [ - "arn:aws:amscm:global:*:changetype/ct-1urj94c3hdfu5:*" - ] - }] - } - - @@ -343,30 +248,0 @@ Permissions to request the Management | Other | Other | Create, and Management | -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AMSCoreAccountsAccess", - "Effect": "Allow", - "Action": [ - "amscm:CancelRfc", - "amscm:CreateRfc", - "amscm:SubmitRfc", - "amscm:UpdateRfc", - "amscm:UpdateRfcActionState", - "amscm:UpdateRestrictedExecutionTimes" - ], - "Resource": [ - "arn:aws:amscm:global:*:changetype/ct-1e1xtak34nx76:*", - "arn:aws:amscm:global:*:changetype/ct-0xdawir96cy7k:*" - ] - } - ] - } - - @@ -425,23 +300,0 @@ Permissions to request and view all AMS change types, and the history of request -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSFullAccess", - "Effect": "Allow", - "Action": [ - "amscm:*", - "amsskms:*" - ], - "Resource": [ - "*" - ] - }] - } - - @@ -628,25 +480,0 @@ If you have an active AWS account, then you can use this link [ReadOnlyAccess](h -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadOnlyActions", - "Effect": "Allow", - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAccessPreview", - "access-analyzer:GetAnalyzedResource," - ] - } - ] - } - - @@ -669,144 +496,0 @@ Managed Services Audit Policy: -JSON - - -**** - - - - {"Version": "2012-10-17", - "Statement": [ - { - "Sid": "BasicConsoleAccess", - "Effect": "Allow", - "Action": [ - "aws-portal:View*", - "ec2-reports:View*", - "support:*" - ],