AWS systems-manager-automation-runbooks documentation change
Summary
Removed detailed IAM policy example for containing compromised IAM principals
Security assessment
While the policy relates to security containment procedures, the removal of the example policy doesn't itself indicate a security fix. The change appears to be documentation cleanup rather than addressing a specific vulnerability.
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/awssupport-contain-iam-principal.md b/systems-manager-automation-runbooks/latest/userguide/awssupport-contain-iam-principal.md index 113bf4132..53c788797 100644 --- a//systems-manager-automation-runbooks/latest/userguide/awssupport-contain-iam-principal.md +++ b//systems-manager-automation-runbooks/latest/userguide/awssupport-contain-iam-principal.md @@ -185,118 +184,0 @@ Here is an example of an IAM policy that grants the necessary permissions for th -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "S3Permissions", - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:ListBucket", - "s3:GetBucketPublicAccessBlock", - "s3:GetPublicAccessBlock", - "s3:GetBucketPolicyStatus", - "s3:GetBucketAcl", - "s3:GetObject", - "s3:CreateBucket", - "s3:PutObject" - ], - "Resource": "*" - }, - { - "Sid": "IAMPermissions", - "Effect": "Allow", - "Action": [ - "iam:GetUser", - "iam:GetUserPolicy", - "iam:GetRole", - "iam:ListUserPolicies", - "iam:ListAttachedUserPolicies", - "iam:ListAccessKeys", - "iam:ListMfaDevices", - "iam:ListVirtualMFADevices", - "iam:GetLoginProfile", - "iam:GetPolicy", - "iam:GetRolePolicy", - "iam:ListPolicies", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:UpdateAccessKey", - "iam:CreateAccessKey", - "iam:DeleteLoginProfile", - "iam:DeleteAccessKey", - "iam:PutUserPolicy", - "iam:DeleteUserPolicy", - "iam:DeactivateMFADevice", - "iam:AttachRolePolicy", - "iam:AttachUserPolicy", - "iam:DeleteRolePolicy", - "iam:TagMFADevice", - "iam:PutRolePolicy", - "iam:TagPolicy", - "iam:TagRole", - "iam:TagUser", - "iam:UntagUser", - "iam:UntagRole" - ], - "Resource": "*" - }, - { - "Sid": "OrganizationsPermissions", - "Effect": "Allow", - "Action": [ - "organizations:ListAccounts" - ], - "Resource": "*" - }, - { - "Sid": "SSOPermissions", - "Effect": "Allow", - "Action": [ - "sso:ListPermissionSetsProvisionedToAccount", - "sso:GetInlinePolicyForPermissionSet", - "sso:ListInstances", - "sso-directory:SearchUsers", - "sso:ListPermissionSets", - "sso:ListAccountAssignments", - "sso-directory:DescribeUser", - "sso:DeleteAccountAssignment", - "sso:PutInlinePolicyToPermissionSet", - "sso:CreateAccountAssignment", - "sso:DeleteInlinePolicyFromPermissionSet", - "sso:TagResource", - "sso:UntagResource" - ], - "Resource": "*" - }, - { - "Sid": "IdentityStorePermissions", - "Effect": "Allow", - "Action": [ - "identitystore:ListUsers", - "identitystore:ListGroups", - "identitystore:IsMemberInGroups", - "identitystore:ListGroupMemberships", - "identitystore:DeleteGroupMembership", - "identitystore:CreateGroupMembership" - ], - "Resource": "*" - }, - { - "Sid": "SecretsManagerPermissions", - "Effect": "Allow", - "Action": [ - "secretsmanager:CreateSecret", - "secretsmanager:DeleteSecret" - ], - "Resource": "*" - } - ] - } - -