AWS Security ChangesHomeSearch

AWS security-lake documentation change

Service: security-lake · 2025-09-28 · Documentation low

File: security-lake/latest/userguide/security-iam-awsmanpol.md

Summary

Replaced inline IAM policy JSON examples with links to AWS Managed Policy Reference Guide entries for AmazonSecurityLakeMetastoreManager, AmazonSecurityLakePermissionsBoundary, and AmazonSecurityLakeAdministrator policies

Security assessment

The change removes detailed inline IAM policies and replaces them with references to managed policies. This is a documentation restructuring for maintainability and does not address a specific security vulnerability or add new security content.

Diff

diff --git a/security-lake/latest/userguide/security-iam-awsmanpol.md b/security-lake/latest/userguide/security-iam-awsmanpol.md
index 5707e50d6..b7e9b4982 100644
--- a//security-lake/latest/userguide/security-iam-awsmanpol.md
+++ b//security-lake/latest/userguide/security-iam-awsmanpol.md
@@ -36,94 +36 @@ This policy includes the following permissions:
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "AllowWriteLambdaLogs",
-          "Effect": "Allow",
-          "Action": [
-            "logs:CreateLogStream",
-            "logs:PutLogEvents",
-            "logs:CreateLogGroup"
-          ],
-          "Resource": [
-            "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*",
-            "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowGlueManage",
-          "Effect": "Allow",
-          "Action": [
-            "glue:CreatePartition",
-            "glue:BatchCreatePartition",
-            "glue:GetTable",
-            "glue:UpdateTable"
-          ],
-          "Resource": [
-            "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
-            "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
-            "arn:aws:glue:*:*:catalog"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowToReadFromSqs",
-          "Effect": "Allow",
-          "Action": [
-            "sqs:ReceiveMessage",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueAttributes"
-          ],
-          "Resource": [
-            "arn:aws:sqs:*:*:AmazonSecurityLake*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowMetaDataReadWrite",
-          "Effect": "Allow",
-          "Action": [
-            "s3:ListBucket",
-            "s3:PutObject",
-            "s3:GetObject"
-          ],
-          "Resource": [
-            "arn:aws:s3:::aws-security-data-lake*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowMetaDataCleanup",
-          "Effect": "Allow",
-          "Action": [
-            "s3:DeleteObject"
-          ],
-          "Resource": [
-            "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro",
-            "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        }
-      ]
-    }
+To review the permissions for this policy, see [AmazonSecurityLakeMetastoreManager](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSecurityLakeMetastoreManager.html) in the _AWS Managed Policy Reference Guide_.
@@ -135,134 +42 @@ Amazon Security Lake creates IAM roles for third-party custom sources to write d
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "AllowActionsForSecurityLake",
-          "Effect": "Allow",
-          "Action": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:PutObject",
-            "s3:GetBucketLocation",
-            "kms:Decrypt",
-            "kms:GenerateDataKey",
-            "sqs:ReceiveMessage",
-            "sqs:ChangeMessageVisibility",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "DenyActionsForSecurityLake",
-          "Effect": "Deny",
-          "NotAction": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:PutObject",
-            "s3:GetBucketLocation",
-            "kms:Decrypt",
-            "kms:GenerateDataKey",
-            "sqs:ReceiveMessage",
-            "sqs:ChangeMessageVisibility",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeBucket",
-          "Effect": "Deny",
-          "Action": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:PutObject",
-            "s3:GetBucketLocation"
-          ],
-          "NotResource": [
-            "arn:aws:s3:::aws-security-data-lake*"
-          ]
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeSQS",
-          "Effect": "Deny",
-          "Action": [
-            "sqs:ReceiveMessage",
-            "sqs:ChangeMessageVisibility",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*"
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS",
-          "Effect": "Deny",
-          "Action": [
-            "kms:Decrypt",
-            "kms:GenerateDataKey"
-          ],
-          "Resource": "*",
-          "Condition": {
-            "StringNotLike": {
-              "kms:ViaService": [
-                "s3.*.amazonaws.com",
-                "sqs.*.amazonaws.com"
-              ]
-            }
-          }
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeKMSForS3",
-          "Effect": "Deny",
-          "Action": [
-            "kms:Decrypt",