AWS security-lake documentation change
Summary
Replaced inline IAM policy JSON examples with links to AWS Managed Policy Reference Guide entries for AmazonSecurityLakeMetastoreManager, AmazonSecurityLakePermissionsBoundary, and AmazonSecurityLakeAdministrator policies
Security assessment
The change removes detailed inline IAM policies and replaces them with references to managed policies. This is a documentation restructuring for maintainability and does not address a specific security vulnerability or add new security content.
Diff
diff --git a/security-lake/latest/userguide/security-iam-awsmanpol.md b/security-lake/latest/userguide/security-iam-awsmanpol.md index 5707e50d6..b7e9b4982 100644 --- a//security-lake/latest/userguide/security-iam-awsmanpol.md +++ b//security-lake/latest/userguide/security-iam-awsmanpol.md @@ -36,94 +36 @@ This policy includes the following permissions: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowWriteLambdaLogs", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:CreateLogGroup" - ], - "Resource": [ - "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", - "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowGlueManage", - "Effect": "Allow", - "Action": [ - "glue:CreatePartition", - "glue:BatchCreatePartition", - "glue:GetTable", - "glue:UpdateTable" - ], - "Resource": [ - "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", - "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", - "arn:aws:glue:*:*:catalog" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowToReadFromSqs", - "Effect": "Allow", - "Action": [ - "sqs:ReceiveMessage", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes" - ], - "Resource": [ - "arn:aws:sqs:*:*:AmazonSecurityLake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowMetaDataReadWrite", - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:PutObject", - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::aws-security-data-lake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowMetaDataCleanup", - "Effect": "Allow", - "Action": [ - "s3:DeleteObject" - ], - "Resource": [ - "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", - "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } - ] - } +To review the permissions for this policy, see [AmazonSecurityLakeMetastoreManager](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSecurityLakeMetastoreManager.html) in the _AWS Managed Policy Reference Guide_. @@ -135,134 +42 @@ Amazon Security Lake creates IAM roles for third-party custom sources to write d - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowActionsForSecurityLake", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutObject", - "s3:GetBucketLocation", - "kms:Decrypt", - "kms:GenerateDataKey", - "sqs:ReceiveMessage", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "Resource": "*" - }, - { - "Sid": "DenyActionsForSecurityLake", - "Effect": "Deny", - "NotAction": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutObject", - "s3:GetBucketLocation", - "kms:Decrypt", - "kms:GenerateDataKey", - "sqs:ReceiveMessage", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "Resource": "*" - }, - { - "Sid": "DenyActionsNotOnSecurityLakeBucket", - "Effect": "Deny", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutObject", - "s3:GetBucketLocation" - ], - "NotResource": [ - "arn:aws:s3:::aws-security-data-lake*" - ] - }, - { - "Sid": "DenyActionsNotOnSecurityLakeSQS", - "Effect": "Deny", - "Action": [ - "sqs:ReceiveMessage", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*" - }, - { - "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS", - "Effect": "Deny", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "*", - "Condition": { - "StringNotLike": { - "kms:ViaService": [ - "s3.*.amazonaws.com", - "sqs.*.amazonaws.com" - ] - } - } - }, - { - "Sid": "DenyActionsNotOnSecurityLakeKMSForS3", - "Effect": "Deny", - "Action": [ - "kms:Decrypt",