AWS security-lake documentation change
Summary
Replaced inline IAM policy details with a reference to AWS Managed Policy documentation
Security assessment
The change consolidates IAM policy documentation into a managed policy reference but does not indicate a security vulnerability fix. It improves maintainability of security documentation.
Diff
diff --git a/security-lake/latest/userguide/AWSServiceRoleForSecurityLakeResourceManagement.md b/security-lake/latest/userguide/AWSServiceRoleForSecurityLakeResourceManagement.md index 7de678a8a..14bdc0f22 100644 --- a//security-lake/latest/userguide/AWSServiceRoleForSecurityLakeResourceManagement.md +++ b//security-lake/latest/userguide/AWSServiceRoleForSecurityLakeResourceManagement.md @@ -49,224 +49 @@ The role is configured with the following permissions policy: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadEventBridgeRules", - "Effect": "Allow", - "Action": [ - "events:ListRules" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "ManageSecurityLakeEventRules", - "Effect": "Allow", - "Action": [ - "events:PutRule" - ], - "Resource": "arn:aws:events:*:*:rule/AmazonSecurityLake-*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "ManageSecurityLakeLambdaConfigurations", - "Effect": "Allow", - "Action": [ - "lambda:GetEventSourceMapping", - "lambda:GetFunction", - "lambda:PutFunctionConcurrency", - "lambda:GetProvisionedConcurrencyConfig", - "lambda:GetFunctionConcurrency", - "lambda:GetRuntimeManagementConfig", - "lambda:PutProvisionedConcurrencyConfig", - "lambda:PublishVersion", - "lambda:DeleteFunctionConcurrency", - "lambda:DeleteEventSourceMapping", - "lambda:GetAlias", - "lambda:GetPolicy", - "lambda:GetFunctionConfiguration", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": [ - "arn:aws:lambda:*:*:function:SecurityLake_Glue_Partition_Updater_Lambda*", - "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowListLambdaEventSourceMappings", - "Effect": "Allow", - "Action": [ - "lambda:ListEventSourceMappings" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowUpdateLambdaEventSourceMapping", - "Effect": "Allow", - "Action": [ - "lambda:UpdateEventSourceMapping" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "lambda:FunctionArn": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*" - } - } - }, - { - "Sid": "AllowUpdateLambdaConfigs", - "Effect": "Allow", - "Action": [ - "lambda:UpdateFunctionConfiguration" - ], - "Resource": "arn:aws:lambda:*:*:function:AmazonSecurityLakeMetastoreManager-*-*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "ManageSecurityLakeGlueResources", - "Effect": "Allow", - "Action": [ - "glue:CreatePartition", - "glue:BatchCreatePartition", - "glue:GetTable", - "glue:GetTables", - "glue:UpdateTable", - "glue:GetDatabase" - ], - "Resource": [ - "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", - "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", - "arn:aws:glue:*:*:catalog" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowDataLakeConfigurationManagement", - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:PutObject", - "s3:GetObjectAttributes", - "s3:GetBucketNotification", - "s3:PutBucketNotification", - "s3:GetLifecycleConfiguration", - "s3:PutLifecycleConfiguration", - "s3:GetEncryptionConfiguration", - "s3:GetReplicationConfiguration" - ], - "Resource": [ - "arn:aws:s3:::aws-security-data-lake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowMetaDataCompactionAndManagement", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:DeleteObject", - "s3:RestoreObject" - ], - "Resource": [ - "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", - "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "ReadSecurityLakeLambdaLogs", - "Effect": "Allow", - "Action": [ - "logs:DescribeLogStreams", - "logs:StartQuery", - "logs:GetLogEvents", - "logs:GetQueryResults", - "logs:GetLogRecord" - ], - "Resource": [ - "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLakeMetastoreManager-*-*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "ManageSecurityLakeSQSQueue", - "Effect": "Allow", - "Action": [ - "sqs:StartMessageMoveTask", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:ListDeadLetterSourceQueues", - "sqs:ChangeMessageVisibility", - "sqs:ListMessageMoveTasks", - "sqs:ReceiveMessage", - "sqs:SendMessage",