AWS singlesignon documentation change
Summary
Removed detailed S3 bucket policies and trust policy examples for Access Grants integration
Security assessment
While the removed content relates to security configurations, the deletion of examples does not indicate a security vulnerability fix. This appears to be documentation restructuring rather than addressing a specific security issue.
Diff
diff --git a/singlesignon/latest/userguide/tip-tutorial-s3.md b/singlesignon/latest/userguide/tip-tutorial-s3.md index 47ed21922..61d91cf9b 100644 --- a//singlesignon/latest/userguide/tip-tutorial-s3.md +++ b//singlesignon/latest/userguide/tip-tutorial-s3.md @@ -55,94 +54,0 @@ To use these policies, replace the `italicized placeholder text` in the example -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ObjectLevelReadPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:GetObjectAcl", - "s3:GetObjectVersionAcl", - "s3:ListMultipartUploadParts" - ], - "Resource": [ - "arn:aws:s3:::*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "Your-AWS-Account-ID" - }, - "ArnEquals": { - "s3:AccessGrantsInstanceArn": [ - "Your-Custom-Access-Grants-Location-ARN" - ] - } - } - }, - { - "Sid": "ObjectLevelWritePermissions", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl", - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:AbortMultipartUpload" - ], - "Resource": [ - "arn:aws:s3:::*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "Your-AWS-Account-ID" - }, - "ArnEquals": { - "s3:AccessGrantsInstanceArn": [ - "Your-Custom-Access-Grants-Location-ARN" - ] - } - } - }, - { - "Sid": "BucketLevelReadPermissions", - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "Your-AWS-Account-ID" - }, - "ArnEquals": { - "s3:AccessGrantsInstanceArn": [ - "Your-Custom-Access-Grants-Location-ARN" - ] - } - } - }, - "//Optionally add the following section if you use SSE-KMS encryption", - { - "Sid": "KMSPermissions", - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": [ - "*" - ] - } - ] - } - - @@ -153,48 +58,0 @@ In the IAM role trust policy, give the S3 Access Grants service (`access-grants. -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Stmt1234567891011", - "Effect": "Allow", - "Principal": { - "Service": "access-grants.s3.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringEquals": { - "aws:SourceAccount": "Your-AWS-Account-ID", - "aws:SourceArn": "Your-Custom-Access-Grants-Location-ARN" - } - } - }, - "//For an IAM Identity Center use case, add:", - { - "Sid": "Stmt1234567891012", - "Effect": "Allow", - "Principal": { - "Service": "access-grants.s3.amazonaws.com" - }, - "Action": "sts:SetContext", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "Your-AWS-Account-ID", - "aws:SourceArn": "Your-Custom-Access-Grants-Location-ARN" - }, - "ForAllValues:ArnEquals": { - "sts:RequestContextProviders": "arn:aws:iam::aws:contextProvider/IdentityCenter" - } - } - } - ] - } - -