AWS cloudformation-cli documentation change
Summary
Restructured documentation with section breaks and removed explicit IAM policy examples. Added bullet points clarifying required permissions for viewing controls and registering Hooks.
Security assessment
Changes focus on formatting improvements and permission clarifications rather than addressing security vulnerabilities. Removal of JSON policy examples does not indicate a security fix but rather documentation reorganization. The existing security note about ensuring Hook security before publishing remains unchanged.
Diff
diff --git a/cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md b/cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md index 9124283d1..cd07242e2 100644 --- a//cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md +++ b//cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md @@ -46,0 +47,6 @@ The `ActivateType` and `SetTypeConfiguration` API calls work together to create +JSON + + +**** + + @@ -64 +70,9 @@ The `ActivateType` and `SetTypeConfiguration` API calls work together to create -Users who manage Hooks might need some related permissions. For example, to view controls from the Control Catalog in the CloudFormation console, the user must have the `controlcatalog:ListControls` permission in an IAM policy. To register custom Hooks as private extensions in the CloudFormation registry, the user must have the `cloudformation:RegisterType` permission in an IAM policy. + +Users who manage Hooks might need some related permissions, for example: + + * To view proactive controls from the Control Catalog in the CloudFormation console, the user must have the `controlcatalog:ListControls` permission in an IAM policy. + + * To register custom Hooks as private extensions in the CloudFormation registry, the user must have the `cloudformation:RegisterType` permission in an IAM policy. + + + @@ -73,0 +88,6 @@ Publishing Hooks publicly makes them available to other AWS accounts. Ensure tha +JSON + + +**** + + @@ -108,15 +128,0 @@ The following shows an example of a basic permissions policy for requesting Hook - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudformation:ListAllHookResults", - "cloudformation:ListHookResults" - ], - "Resource": "*" - } - ] - } - @@ -126,0 +133,6 @@ The following example IAM policy grants permissions to the `cloudformation:ListH +JSON + + +**** + + @@ -157,38 +169,0 @@ The following example IAM policy grants permissions to the `cloudformation:ListA - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudformation:ListAllHookResults" - ], - "Resource": "*" - }, - { - "Effect": "Deny", - "Action": [ - "cloudformation:ListAllHookResults" - ], - "Resource": "*", - "Condition": { - "Null": { - "cloudformation:TypeArn": "true" - } - } - }, - { - "Effect": "Deny", - "Action": [ - "cloudformation:ListAllHookResults" - ], - "Resource": "*", - "Condition": { - "ArnEquals": { - "cloudformation:TypeArn": "arn:aws:cloudformation:us-east-1:123456789012:type/hook/MyCompany-MyHook" - } - } - } - ] - } -