AWS mwaa documentation change
Summary
Updated phrasing from 'see' to 'refer to' in links and removed a detailed example execution role policy JSON configuration
Security assessment
The changes are primarily editorial (phrasing updates) and removal of a policy example. While IAM policy changes can have security implications, there's no explicit evidence this removal addresses a specific vulnerability. The removed policy contained both Allow/Deny statements but no clear indicators of inherent insecurity in the context of documentation removal.
Diff
diff --git a/mwaa/latest/userguide/mwaa-create-role.md b/mwaa/latest/userguide/mwaa-create-role.md index c55faaab1..573fa4b8e 100644 --- a//mwaa/latest/userguide/mwaa-create-role.md +++ b//mwaa/latest/userguide/mwaa-create-role.md @@ -223 +223 @@ JSON -For more information about restricting access to your Amazon S3 buckets, see [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/) in the _Amazon Simple Storage Service User Guide_. +For more information about restricting access to your Amazon S3 buckets, refer to [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/) in the _Amazon Simple Storage Service User Guide_. @@ -227 +227 @@ For more information about restricting access to your Amazon S3 buckets, see [Bl -You can also create an Apache Airflow connection and specify your execution role and its ARN in your Apache Airflow connection object. To learn more, see [Managing connections to Apache Airflow](./manage-connections.html). +You can also create an Apache Airflow connection and specify your execution role and its ARN in your Apache Airflow connection object. To learn more, refer to [Managing connections to Apache Airflow](./manage-connections.html). @@ -239,102 +238,0 @@ The following example shows an execution role policy you can use for an [Custome -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Deny", - "Action": "s3:ListAllMyBuckets", - "Resource": [ - "arn:aws:s3:::{your-s3-bucket-name}", - "arn:aws:s3:::{your-s3-bucket-name}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetObject*", - "s3:GetBucket*", - "s3:List*" - ], - "Resource": [ - "arn:aws:s3:::{your-s3-bucket-name}", - "arn:aws:s3:::{your-s3-bucket-name}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:PutLogEvents", - "logs:GetLogEvents", - "logs:GetLogRecord", - "logs:GetLogGroupFields", - "logs:GetQueryResults" - ], - "Resource": [ - "arn:aws:logs:us-east-1:111122223333;:log-group:airflow-{your-environment-name}-*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetAccountPublicAccessBlock" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": "cloudwatch:PutMetricData", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": "arn:aws:sqs:us-east-1:*:airflow-celery-*" - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:GenerateDataKey*", - "kms:Encrypt" - ], - "Resource": "arn:aws:kms:us-east-1:111122223333:key/{your-kms-cmk-id}", - "Condition": { - "StringLike": { - "kms:ViaService": [ - "sqs.us-east-1.amazonaws.com", - "s3.us-east-1.amazonaws.com" - ] - } - } - } - ] - } - -