AWS compute-optimizer documentation change
Summary
Added JSON policy example for creating Compute Optimizer service-linked roles
Security assessment
The change documents the required permissions for service-linked role creation, which is a security best practice but not tied to a specific security issue.
Diff
diff --git a/compute-optimizer/latest/ug/using-service-linked-roles.md b/compute-optimizer/latest/ug/using-service-linked-roles.md index 85eaa02a1..16736d5e7 100644 --- a//compute-optimizer/latest/ug/using-service-linked-roles.md +++ b//compute-optimizer/latest/ug/using-service-linked-roles.md @@ -81,0 +82,6 @@ Add the following policy to the IAM entity that needs to create the service-link +JSON + + +**** + + @@ -104,0 +111,36 @@ Add the following policy to the IAM entity that needs to create the service-link + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer*", + "Condition": {"StringLike": {"iam:AWSServiceName": "compute-optimizer.amazonaws.com"}} + }, + { + "Effect": "Allow", + "Action": "iam:PutRolePolicy", + "Resource": "arn:aws-cn:iam::*:role/aws-service-role/compute-optimizer.amazonaws.com/AWSServiceRoleForComputeOptimizer" + }, + { + "Effect": "Allow", + "Action": "compute-optimizer:UpdateEnrollmentStatus", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "organizations:DescribeOrganization", + "Resource": "*" + } + ] + } + +