AWS managedservices medium security documentation change
Summary
Removed multiple JSON IAM policy examples including AMSCoreAccountsCMAndSKMSReadOnlyAccess, AMSMasterAccountAccess, AMSNetworkingAccountAccess, AMSCoreAccountsAccess, AMSFullAccess, ReadOnlyActions, Audit Policy, and IAM ReadOnly Policy configurations
Security assessment
Removal of IAM policies including 'AMSFullAccess' wildcard permissions (*) and 'DenyAccessToIamRolesStartingWithMC' security controls reduces documentation about secure access management. This could indicate tightening of least-privilege guidance or response to overprivileged policies, but lacks explicit security advisory context.
Diff
diff --git a/managedservices/latest/userguide/defaults-user-role.md b/managedservices/latest/userguide/defaults-user-role.md index bf7c273cd..780efcc60 100644 --- a//managedservices/latest/userguide/defaults-user-role.md +++ b//managedservices/latest/userguide/defaults-user-role.md @@ -231,36 +230,0 @@ Permissions to see all AMS change types, and the history of requested change typ -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSCoreAccountsCMAndSKMSReadOnlyAccess", - "Effect": "Allow", - "Action": [ - "amscm:GetChangeTypeVersion", - "amscm:GetRfc", - "amscm:ListChangeTypeCategories", - "amscm:ListChangeTypeClassificationSummaries", - "amscm:ListChangeTypeItems", - "amscm:ListChangeTypeOperations", - "amscm:ListChangeTypeSubcategories", - "amscm:ListChangeTypeVersionSummaries", - "amscm:ListRestrictedExecutionTimes", - "amscm:ListRfcSummaries", - "amsskms:GetStack", - "amsskms:GetSubnet", - "amsskms:GetVpc", - "amsskms:ListAmis", - "amsskms:ListStackSummaries", - "amsskms:ListSubnetSummaries", - "amsskms:ListVpcSummaries" - ], - "Resource": "*" - }] - } - - @@ -273,29 +236,0 @@ Permissions to request the Deployment | Managed landing zone | Management accoun -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSMasterAccountAccess", - "Effect": "Allow", - "Action": [ - "amscm:ApproveRfc", - "amscm:CancelRfc", - "amscm:CreateRfc", - "amscm:RejectRfc", - "amscm:SubmitRfc", - "amscm:UpdateRfc", - "amscm:UpdateRfcActionState", - "amscm:UpdateRestrictedExecutionTimes" - ], - "Resource": [ - "arn:aws:amscm:global:*:changetype/ct-1zdasmc2ewzrs:*" - ] - }] - } - - @@ -308,29 +242,0 @@ Permissions to request the Deployment | Managed landing zone | Networking accoun -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSNetworkingAccountAccess", - "Effect": "Allow", - "Action": [ - "amscm:ApproveRfc", - "amscm:CancelRfc", - "amscm:CreateRfc", - "amscm:RejectRfc", - "amscm:SubmitRfc", - "amscm:UpdateRfc", - "amscm:UpdateRfcActionState", - "amscm:UpdateRestrictedExecutionTimes" - ], - "Resource": [ - "arn:aws:amscm:global:*:changetype/ct-1urj94c3hdfu5:*" - ] - }] - } - - @@ -343,30 +248,0 @@ Permissions to request the Management | Other | Other | Create, and Management | -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AMSCoreAccountsAccess", - "Effect": "Allow", - "Action": [ - "amscm:CancelRfc", - "amscm:CreateRfc", - "amscm:SubmitRfc", - "amscm:UpdateRfc", - "amscm:UpdateRfcActionState", - "amscm:UpdateRestrictedExecutionTimes" - ], - "Resource": [ - "arn:aws:amscm:global:*:changetype/ct-1e1xtak34nx76:*", - "arn:aws:amscm:global:*:changetype/ct-0xdawir96cy7k:*" - ] - } - ] - } - - @@ -425,23 +300,0 @@ Permissions to request and view all AMS change types, and the history of request -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "AMSFullAccess", - "Effect": "Allow", - "Action": [ - "amscm:*", - "amsskms:*" - ], - "Resource": [ - "*" - ] - }] - } - - @@ -628,25 +480,0 @@ If you have an active AWS account, then you can use this link [ReadOnlyAccess](h -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadOnlyActions", - "Effect": "Allow", - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAccessPreview", - "access-analyzer:GetAnalyzedResource," - ] - } - ] - } - - @@ -669,144 +496,0 @@ Managed Services Audit Policy: -JSON - - -**** - - - - {"Version": "2012-10-17", - "Statement": [ - { - "Sid": "BasicConsoleAccess", - "Effect": "Allow", - "Action": [ - "aws-portal:View*", - "ec2-reports:View*", - "support:*" - ],