AWS firehose documentation change
Summary
Removed detailed IAM policy example granting permissions for Glue, S3, KMS, logs, Secrets Manager, and EC2 actions
Security assessment
The change removes a sample IAM policy but does not address a specific security vulnerability. While IAM policies are security-related, this appears to be documentation cleanup rather than a response to a security issue.
Diff
diff --git a/firehose/latest/dev/database-as-source-grant-access.md b/firehose/latest/dev/database-as-source-grant-access.md index 9d1942e86..80df17bb1 100644 --- a//firehose/latest/dev/database-as-source-grant-access.md +++ b//firehose/latest/dev/database-as-source-grant-access.md @@ -19,79 +18,0 @@ You must have an IAM role before you create a Firehose stream and Apache Iceberg - { - "Version": "2012-10-17", - "Statement": - [ - { - "Effect": "Allow", - "Action": [ - "glue:GetTable", - "glue:GetDatabase", - "glue:UpdateTable", - "glue:CreateTable", - "glue:CreateDatabase" - ], - "Resource": [ - "arn:aws:glue:<region>:<aws-account-id>:catalog", - "arn:aws:glue:<region>:<aws-account-id>:database/*", - "arn:aws:glue:<region>:<aws-account-id>:table/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:AbortMultipartUpload", - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:PutObject", - "s3:DeleteObject" - ], - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket", - "arn:aws:s3:::amzn-s3-demo-bucket/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": [ - "arn:aws:kms:<region>:<aws-account-id>:key/<key-id>" - ], - "Condition": { - "StringEquals": { - "kms:ViaService": "s3.region.amazonaws.com" - }, - "StringLike": { - "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket/prefix*" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:<region>:<aws-account-id>:log-group:<log-group-name>:log-stream:<log-stream-name>" - ] - }, - { - "Effect": "Allow", - "Action": "secretsmanager:GetSecretValue", - "Resource": "<Secret ARN>" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeVpcEndpointServices" - ], - "Resource": [ - "*" - ] - } - ] - } -