AWS Security ChangesHomeSearch

AWS firehose documentation change

Service: firehose · 2025-09-19 · Documentation low

File: firehose/latest/dev/database-as-source-grant-access.md

Summary

Removed detailed IAM policy example granting permissions for Glue, S3, KMS, logs, Secrets Manager, and EC2 actions

Security assessment

The change removes a sample IAM policy but does not address a specific security vulnerability. While IAM policies are security-related, this appears to be documentation cleanup rather than a response to a security issue.

Diff

diff --git a/firehose/latest/dev/database-as-source-grant-access.md b/firehose/latest/dev/database-as-source-grant-access.md
index 9d1942e86..80df17bb1 100644
--- a//firehose/latest/dev/database-as-source-grant-access.md
+++ b//firehose/latest/dev/database-as-source-grant-access.md
@@ -19,79 +18,0 @@ You must have an IAM role before you create a Firehose stream and Apache Iceberg
-        {
-    "Version": "2012-10-17",  
-        "Statement":
-        [    
-            {
-                "Effect": "Allow",      
-                "Action": [
-                    "glue:GetTable",
-                    "glue:GetDatabase",
-                    "glue:UpdateTable",
-                    "glue:CreateTable",
-                    "glue:CreateDatabase"
-                ],      
-                "Resource": [   
-                    "arn:aws:glue:<region>:<aws-account-id>:catalog",
-                    "arn:aws:glue:<region>:<aws-account-id>:database/*",
-                    "arn:aws:glue:<region>:<aws-account-id>:table/*/*"             
-                ]    
-            },        
-            {
-                "Effect": "Allow",      
-                "Action": [
-                    "s3:AbortMultipartUpload",
-                    "s3:GetBucketLocation",
-                    "s3:GetObject",
-                    "s3:ListBucket",
-                    "s3:ListBucketMultipartUploads",
-                    "s3:PutObject",
-                    "s3:DeleteObject"
-                ],      
-                "Resource": [   
-                    "arn:aws:s3:::amzn-s3-demo-bucket",
-                    "arn:aws:s3:::amzn-s3-demo-bucket/*"              
-                ]    
-            },      
-            {
-               "Effect": "Allow",
-               "Action": [
-                   "kms:Decrypt",
-                   "kms:GenerateDataKey"
-               ],
-               "Resource": [
-                   "arn:aws:kms:<region>:<aws-account-id>:key/<key-id>"           
-               ],
-               "Condition": {
-                "StringEquals": {
-                    "kms:ViaService": "s3.region.amazonaws.com"
-                   },
-                   "StringLike": {
-                    "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket/prefix*"
-                   }
-               }
-            },
-            {
-               "Effect": "Allow",
-               "Action": [
-                   "logs:PutLogEvents"
-               ],
-               "Resource": [
-                   "arn:aws:logs:<region>:<aws-account-id>:log-group:<log-group-name>:log-stream:<log-stream-name>"
-               ]
-            },
-            {
-                "Effect": "Allow",
-                "Action": "secretsmanager:GetSecretValue",
-                "Resource": "<Secret ARN>"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:DescribeVpcEndpointServices"
-                ],
-                "Resource": [
-                    "*"
-                ]
-            }
-        ]
-    }
-