AWS Security ChangesHomeSearch

AWS security-lake medium security documentation change

Service: security-lake · 2025-09-28 · Security-related medium

File: security-lake/latest/userguide/security-iam-awsmanpol.md

Summary

Added changelog entry for AWSServiceRoleForSecurityLakeResourceManagement policy update replacing StringLike with ArnLike operator for secure ARN comparisons

Security assessment

The changelog explicitly states a security improvement by using ArnLike instead of StringLike for ARN-type keys in condition blocks, which provides more precise and secure policy enforcement to prevent misconfigurations.

Diff

diff --git a/security-lake/latest/userguide/security-iam-awsmanpol.md b/security-lake/latest/userguide/security-iam-awsmanpol.md
index 5707e50d6..b7e9b4982 100644
--- a//security-lake/latest/userguide/security-iam-awsmanpol.md
+++ b//security-lake/latest/userguide/security-iam-awsmanpol.md
@@ -36,94 +36 @@ This policy includes the following permissions:
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "AllowWriteLambdaLogs",
-          "Effect": "Allow",
-          "Action": [
-            "logs:CreateLogStream",
-            "logs:PutLogEvents",
-            "logs:CreateLogGroup"
-          ],
-          "Resource": [
-            "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*",
-            "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowGlueManage",
-          "Effect": "Allow",
-          "Action": [
-            "glue:CreatePartition",
-            "glue:BatchCreatePartition",
-            "glue:GetTable",
-            "glue:UpdateTable"
-          ],
-          "Resource": [
-            "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*",
-            "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*",
-            "arn:aws:glue:*:*:catalog"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowToReadFromSqs",
-          "Effect": "Allow",
-          "Action": [
-            "sqs:ReceiveMessage",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueAttributes"
-          ],
-          "Resource": [
-            "arn:aws:sqs:*:*:AmazonSecurityLake*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowMetaDataReadWrite",
-          "Effect": "Allow",
-          "Action": [
-            "s3:ListBucket",
-            "s3:PutObject",
-            "s3:GetObject"
-          ],
-          "Resource": [
-            "arn:aws:s3:::aws-security-data-lake*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        },
-        {
-          "Sid": "AllowMetaDataCleanup",
-          "Effect": "Allow",
-          "Action": [
-            "s3:DeleteObject"
-          ],
-          "Resource": [
-            "arn:aws:s3:::aws-security-data-lake*/metadata/*.avro",
-            "arn:aws:s3:::aws-security-data-lake*/metadata/*.metadata.json"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "${aws:PrincipalAccount}"
-            }
-          }
-        }
-      ]
-    }
+To review the permissions for this policy, see [AmazonSecurityLakeMetastoreManager](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSecurityLakeMetastoreManager.html) in the _AWS Managed Policy Reference Guide_.
@@ -135,134 +42 @@ Amazon Security Lake creates IAM roles for third-party custom sources to write d
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "AllowActionsForSecurityLake",
-          "Effect": "Allow",
-          "Action": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:PutObject",
-            "s3:GetBucketLocation",
-            "kms:Decrypt",
-            "kms:GenerateDataKey",
-            "sqs:ReceiveMessage",
-            "sqs:ChangeMessageVisibility",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "DenyActionsForSecurityLake",
-          "Effect": "Deny",
-          "NotAction": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:PutObject",
-            "s3:GetBucketLocation",
-            "kms:Decrypt",
-            "kms:GenerateDataKey",
-            "sqs:ReceiveMessage",
-            "sqs:ChangeMessageVisibility",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "Resource": "*"
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeBucket",
-          "Effect": "Deny",
-          "Action": [
-            "s3:GetObject",
-            "s3:GetObjectVersion",
-            "s3:ListBucket",
-            "s3:ListBucketVersions",
-            "s3:PutObject",
-            "s3:GetBucketLocation"
-          ],
-          "NotResource": [
-            "arn:aws:s3:::aws-security-data-lake*"
-          ]
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeSQS",
-          "Effect": "Deny",
-          "Action": [
-            "sqs:ReceiveMessage",
-            "sqs:ChangeMessageVisibility",
-            "sqs:DeleteMessage",
-            "sqs:GetQueueUrl",
-            "sqs:SendMessage",
-            "sqs:GetQueueAttributes",
-            "sqs:ListQueues"
-          ],
-          "NotResource": "arn:aws:sqs:*:*:AmazonSecurityLake*"
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeKMSS3SQS",
-          "Effect": "Deny",
-          "Action": [
-            "kms:Decrypt",
-            "kms:GenerateDataKey"
-          ],
-          "Resource": "*",
-          "Condition": {
-            "StringNotLike": {
-              "kms:ViaService": [
-                "s3.*.amazonaws.com",
-                "sqs.*.amazonaws.com"
-              ]
-            }
-          }
-        },
-        {
-          "Sid": "DenyActionsNotOnSecurityLakeKMSForS3",
-          "Effect": "Deny",
-          "Action": [
-            "kms:Decrypt",