AWS Security ChangesHomeSearch

AWS firehose documentation change

Service: firehose · 2025-09-19 · Documentation low

File: firehose/latest/dev/controlling-access.md

Summary

Restructured IAM policy examples by removing detailed JSON blocks and adding JSON section headers with formatting separators

Security assessment

Changes involve formatting improvements and removal of specific policy examples rather than addressing security vulnerabilities. While IAM policies are security-related, there's no evidence these changes fix existing vulnerabilities or introduce new security risks. The modifications appear to be documentation restructuring rather than security updates.

Diff

diff --git a/firehose/latest/dev/controlling-access.md b/firehose/latest/dev/controlling-access.md
index e50c9f124..7e1ef3505 100644
--- a//firehose/latest/dev/controlling-access.md
+++ b//firehose/latest/dev/controlling-access.md
@@ -65,0 +66,6 @@ To give your application access to your Firehose stream, use a policy similar to
+JSON
+    
+
+****
+    
+    
@@ -89,19 +95,0 @@ If the source of your Firehose stream is a private Amazon MSK cluster, then use
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Principal": {
-            "Service": [
-              "firehose.amazonaws.com"
-            ]
-        },
-        "Effect": "Allow",
-        "Action": [
-          "kafka:CreateVpcConnection"
-        ],
-        "Resource": "cluster-arn"
-        }
-      ]
-    }
-
@@ -119,0 +108,6 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
+JSON
+    
+
+****
+    
+    
@@ -123 +117,2 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
-    	"Statement": [{
+        "Statement": [
+            {
@@ -129,2 +124 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
-    		"Action": "sts:AssumeRole",
-    	}]
+                "Action": "sts:AssumeRole"
@@ -131,0 +126,3 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
+        ]
+    }
+    
@@ -134,0 +132,6 @@ If you choose Amazon MSK as the source for your Firehose stream, you must specif
+JSON
+    
+
+****
+    
+    
@@ -152,25 +154,0 @@ If you choose Amazon MSK as the source for your Firehose stream, you must specif
-Make sure that this role that grants Amazon Data Firehose permissions to ingest source data from the specified Amazon MSK cluster grants the following permissions: 
-    
-    
-    {
-       "Version": "2012-10-17",      
-       "Statement": [{
-            "Effect":"Allow",
-            "Action": [
-               "kafka:GetBootstrapBrokers",
-               "kafka:DescribeCluster",
-               "kafka:DescribeClusterV2",
-               "kafka-cluster:Connect"
-             ],
-             "Resource": "CLUSTER-ARN"
-           },
-           {
-             "Effect":"Allow",
-             "Action": [
-               "kafka-cluster:DescribeTopic",
-               "kafka-cluster:DescribeTopicDynamicConfiguration",
-               "kafka-cluster:ReadData"
-             ],
-             "Resource": "TOPIC-ARN"
-           }]
-    }
@@ -177,0 +156 @@ Make sure that this role that grants Amazon Data Firehose permissions to ingest
+Make sure that this role that grants Amazon Data Firehose permissions to ingest source data from the specified Amazon MSK cluster grants the following permissions: 
@@ -208,0 +188,6 @@ Use the following access policy to enable Amazon Data Firehose to access your S3
+JSON
+    
+
+****
+    
+    
@@ -323,0 +310,6 @@ Create a policy and choose **JSON** in the policy editor. Add the following inli
+JSON
+    
+
+****
+    
+    
@@ -442,83 +434,0 @@ You must have an IAM role before you create a Firehose stream and Apache Iceberg
-        {
-        "Version": "2012-10-17",  
-        "Statement":
-        [    
-            {      
-                "Effect": "Allow",      
-                "Action": [
-                    "glue:GetTable",
-                    "glue:GetDatabase",
-                    "glue:UpdateTable"
-                ],      
-                "Resource": [   
-                    "arn:aws:glue:us-east-1:123456789012:catalog",
-                    "arn:aws:glue:us-east-1:123456789012:database/*",
-                    "arn:aws:glue:us-east-1:123456789012:table/*/*"             
-                ]    
-            },        
-            {      
-                "Effect": "Allow",      
-                "Action": [
-                    "s3:AbortMultipartUpload",
-                    "s3:GetBucketLocation",
-                    "s3:GetObject",
-                    "s3:ListBucket",
-                    "s3:ListBucketMultipartUploads",
-                    "s3:PutObject",
-                    "s3:DeleteObject"
-                ],      
-                "Resource": [   
-                    "arn:aws::s3:::amzn-s3-demo-bucket",
-                    "arn:aws:s3:::amzn-s3-demo-bucket/*"              
-                ]    
-            },      
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "kinesis:DescribeStream",
-                    "kinesis:GetShardIterator",
-                    "kinesis:GetRecords",
-                    "kinesis:ListShards"
-                ],
-                "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/stream-name>"
-            },
-            {
-               "Effect": "Allow",
-               "Action": [
-                   "kms:Decrypt",
-                   "kms:GenerateDataKey"
-               ],
-               "Resource": [
-                   "arn:aws:kms:us-east-1:123456789012:key/key-id>"           
-               ],
-               "Condition": {
-                   "StringEquals": {
-                       "kms:ViaService": "s3.region.amazonaws.com"
-                   },
-                   "StringLike": {
-                       "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket/prefix*"
-                   }
-               }
-            },
-            {
-               "Effect": "Allow",
-               "Action": [
-                   "logs:PutLogEvents"
-               ],
-               "Resource": [
-                   "arn:aws:logs:us-east-1:123456789012:log-group:log-group-name>:log-stream:log-stream-name>"
-               ]
-            },
-            {
-               "Effect": "Allow", 
-               "Action": [
-                   "lambda:InvokeFunction", 
-                   "lambda:GetFunctionConfiguration" 
-               ],
-               "Resource": [
-                   "arn:aws:lambda:us-east-1:123456789012:function:function-name:function-version"
-               ]
-            }
-        ]
-    }
-
@@ -562,0 +473,6 @@ Use the following access policy to enable Amazon Data Firehose to access your S3
+JSON
+    
+
+****
+    
+    
@@ -686,0 +604,6 @@ Use the following access policy to enable Amazon Data Firehose to access your S3
+JSON
+    
+
+****
+    
+    
@@ -829,0 +754,6 @@ Use the following access policy to enable Amazon Data Firehose to access your S3
+JSON
+