AWS security-lake medium security documentation change
Summary
Added changelog entry for AWSServiceRoleForSecurityLakeResourceManagement policy update replacing StringLike with ArnLike operator for secure ARN comparisons
Security assessment
The changelog explicitly states a security improvement by using ArnLike instead of StringLike for ARN-type keys in condition blocks, which provides more precise and secure policy enforcement to prevent misconfigurations.
Diff
diff --git a/security-lake/latest/userguide/security-iam-awsmanpol.md b/security-lake/latest/userguide/security-iam-awsmanpol.md index 5707e50d6..b7e9b4982 100644 --- a//security-lake/latest/userguide/security-iam-awsmanpol.md +++ b//security-lake/latest/userguide/security-iam-awsmanpol.md @@ -36,94 +36 @@ This policy includes the following permissions: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowWriteLambdaLogs", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:CreateLogGroup" - ], - "Resource": [ - "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", - "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowGlueManage", - "Effect": "Allow", - "Action": [ - "glue:CreatePartition", - "glue:BatchCreatePartition", - "glue:GetTable", - "glue:UpdateTable" - ], - "Resource": [ - "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", - "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", - "arn:aws:glue:*:*:catalog" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowToReadFromSqs", - "Effect": "Allow", - "Action": [ - "sqs:ReceiveMessage", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes" - ], - "Resource": [ - "arn:aws:sqs:*:*:AmazonSecurityLake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowMetaDataReadWrite", - "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:PutObject", - "s3:GetObject" - ], - "Resource": [ - "arn:aws:s3:::aws-security-data-lake*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "AllowMetaDataCleanup", - "Effect": "Allow", - "Action": [ - "s3:DeleteObject" - ], - "Resource": [ - "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro", - "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } - ] - } +To review the permissions for this policy, see [AmazonSecurityLakeMetastoreManager](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSecurityLakeMetastoreManager.html) in the _AWS Managed Policy Reference Guide_. @@ -135,134 +42 @@ Amazon Security Lake creates IAM roles for third-party custom sources to write d - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowActionsForSecurityLake", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutObject", - "s3:GetBucketLocation", - "kms:Decrypt", - "kms:GenerateDataKey", - "sqs:ReceiveMessage", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "Resource": "*" - }, - { - "Sid": "DenyActionsForSecurityLake", - "Effect": "Deny", - "NotAction": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutObject", - "s3:GetBucketLocation", - "kms:Decrypt", - "kms:GenerateDataKey", - "sqs:ReceiveMessage", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "Resource": "*" - }, - { - "Sid": "DenyActionsNotOnSecurityLakeBucket", - "Effect": "Deny", - "Action": [ - "s3:GetObject", - "s3:GetObjectVersion", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutObject", - "s3:GetBucketLocation" - ], - "NotResource": [ - "arn:aws:s3:::aws-security-data-lake*" - ] - }, - { - "Sid": "DenyActionsNotOnSecurityLakeSQS", - "Effect": "Deny", - "Action": [ - "sqs:ReceiveMessage", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueUrl", - "sqs:SendMessage", - "sqs:GetQueueAttributes", - "sqs:ListQueues" - ], - "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*" - }, - { - "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS", - "Effect": "Deny", - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "*", - "Condition": { - "StringNotLike": { - "kms:ViaService": [ - "s3.*.amazonaws.com", - "sqs.*.amazonaws.com" - ] - } - } - }, - { - "Sid": "DenyActionsNotOnSecurityLakeKMSForS3", - "Effect": "Deny", - "Action": [ - "kms:Decrypt",