AWS singlesignon medium security documentation change
Summary
Removed detailed IAM policy JSON for AWSSSOServiceRolePolicy including permissions for role management, SAML provider operations, and directory service access
Security assessment
The removed content included critical IAM permissions governing service-linked role operations. Removing security-relevant policy documentation could impact users' ability to properly configure secure access controls. The policy contained security-sensitive actions like iam:PutRolePermissionsBoundary and iam:DeleteServiceLinkedRole.
Diff
diff --git a/singlesignon/latest/userguide/using-service-linked-roles.md b/singlesignon/latest/userguide/using-service-linked-roles.md index f321460e8..1aac5f6ed 100644 --- a//singlesignon/latest/userguide/using-service-linked-roles.md +++ b//singlesignon/latest/userguide/using-service-linked-roles.md @@ -106,167 +105,0 @@ For more information on updates to the AWSSSOServiceRolePolicy service-linked ro -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid":"IAMRoleProvisioningActions", - "Effect":"Allow", - "Action":[ - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:DeleteRolePermissionsBoundary", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription", - "iam:UpdateAssumeRolePolicy" - ], - "Resource":[ - "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" - ], - "Condition":{ - "StringNotEquals":{ - "aws:PrincipalOrgMasterAccountId":"${aws:PrincipalAccount}" - } - } - }, - { - "Sid":"IAMRoleReadActions", - "Effect":"Allow", - "Action":[ - "iam:GetRole", - "iam:ListRoles" - ], - "Resource":[ - "*" - ] - }, - { - "Sid":"IAMRoleCleanupActions", - "Effect":"Allow", - "Action":[ - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:ListRolePolicies", - "iam:ListAttachedRolePolicies" - ], - "Resource":[ - "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*" - ] - }, - { - "Sid":"IAMSLRCleanupActions", - "Effect":"Allow", - "Action":[ - "iam:DeleteServiceLinkedRole", - "iam:GetServiceLinkedRoleDeletionStatus", - "iam:DeleteRole", - "iam:GetRole" - ], - "Resource":[ - "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO" - ] - }, - { - "Sid": "IAMSAMLProviderCreationAction", - "Effect": "Allow", - "Action": [ - "iam:CreateSAMLProvider" - ], - "Resource": [ - "arn:aws:iam::*:saml-provider/AWSSSO_*" - ], - "Condition": { - "StringNotEquals": { - "aws:PrincipalOrgMasterAccountId": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "IAMSAMLProviderUpdateAction", - "Effect": "Allow", - "Action": [ - "iam:UpdateSAMLProvider" - ], - "Resource": [ - "arn:aws:iam::*:saml-provider/AWSSSO_*" - ] - }, - { - "Sid":"IAMSAMLProviderCleanupActions", - "Effect":"Allow", - "Action":[ - "iam:DeleteSAMLProvider", - "iam:GetSAMLProvider" - ], - "Resource":[ - "arn:aws:iam::*:saml-provider/AWSSSO_*" - ] - }, - { - "Effect":"Allow", - "Action":[ - "organizations:DescribeAccount", - "organizations:DescribeOrganization", - "organizations:ListAccounts", - "organizations:ListAWSServiceAccessForOrganization", - "organizations:ListDelegatedAdministrators" - ], - "Resource":[ - "*" - ] - }, - { - "Sid":"AllowUnauthAppForDirectory", - "Effect":"Allow", - "Action":[ - "ds:UnauthorizeApplication" - ], - "Resource":[ - "*" - ] - }, - { - "Sid":"AllowDescribeForDirectory", - "Effect":"Allow", - "Action":[ - "ds:DescribeDirectories", - "ds:DescribeTrusts" - ], - "Resource":[ - "*" - ] - }, - { - "Sid":"AllowDescribeAndListOperationsOnIdentitySource", - "Effect":"Allow", - "Action":[ - "identitystore:DescribeUser", - "identitystore:DescribeGroup", - "identitystore:ListGroups", - "identitystore:ListUsers" - ], - "Resource":[ - "*" - ] - }, - { - "Sid":"AllowDeleteSyncProfile", - "Effect":"Allow", - "Action":[ - "identity-sync:DeleteSyncProfile" - ], - "Resource":[ - "arn:aws:identity-sync*:*:profile/*" - ] - } - ] - } - -