AWS apprunner documentation change
Summary
Added JSON examples for IAM policies including service-linked role creation, role passing permissions, and trust policies for App Runner roles
Security assessment
The changes add concrete IAM policy examples that help users configure secure access controls. While this improves security documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/apprunner/latest/dg/security_iam_service-with-iam.md b/apprunner/latest/dg/security_iam_service-with-iam.md index 7a07cc552..71b7653fa 100644 --- a//apprunner/latest/dg/security_iam_service-with-iam.md +++ b//apprunner/latest/dg/security_iam_service-with-iam.md @@ -140,0 +141,68 @@ For examples of user policies, see [User policies](./security_iam_id-based-polic +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "apprunner:List*", + "apprunner:Describe*" + ], + "Resource": "*" + } + ] + } + + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": [ + "arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner", + "arn:aws:iam::*:role/aws-service-role/networking.apprunner/AWSServiceRoleForAppRunnerNetworking" + ], + "Condition": { + "StringLike": { + "iam:AWSServiceName": [ + "apprunner.amazonaws.com", + "networking.apprunner.amazonaws.com" + ] + } + } + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*", + "Condition": { + "StringLike": { + "iam:PassedToService": "apprunner.amazonaws.com" + } + } + }, + { + "Sid": "AppRunnerAdminAccess", + "Effect": "Allow", + "Action": "apprunner:*", + "Resource": "*" + } + ] + } + + @@ -191,0 +260,21 @@ When you create your access role, be sure to add a trust policy that declares th +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "build.apprunner.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + + @@ -201,0 +291,21 @@ When you create your instance role, be sure to add a trust policy that declares +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "tasks.apprunner.aws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + +