AWS Security ChangesHomeSearch

AWS security-lake documentation change

Service: security-lake · 2025-09-28 · Documentation low

File: security-lake/latest/userguide/slr-permissions.md

Summary

Replaced inline IAM policy JSON with reference to AWS managed policy documentation

Security assessment

Simplifies documentation by referencing official AWS managed policies rather than duplicating content. While related to security permissions, there's no evidence of addressing a specific vulnerability. Maintains security documentation by directing users to authoritative source.

Diff

diff --git a/security-lake/latest/userguide/slr-permissions.md b/security-lake/latest/userguide/slr-permissions.md
index 0935978da..314d0474c 100644
--- a//security-lake/latest/userguide/slr-permissions.md
+++ b//security-lake/latest/userguide/slr-permissions.md
@@ -26,122 +26 @@ The permissions policy for the role, which is an AWS managed policy named `Secur
-The role is configured with the following permissions policy:
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [{
-                "Sid": "OrganizationsPolicies",
-                "Effect": "Allow",
-                "Action": [
-                    "organizations:ListAccounts",
-                    "organizations:DescribeOrganization"
-                ],
-                "Resource": [
-                    "*"
-                ]
-            },
-            {
-                "Sid": "DescribeOrgAccounts",
-                "Effect": "Allow",
-                "Action": [
-                    "organizations:DescribeAccount"
-                ],
-                "Resource": [
-                    "arn:aws:organizations::*:account/o-*/*"
-                ]
-            },
-            {
-                "Sid": "AllowManagementOfServiceLinkedChannel",
-                "Effect": "Allow",
-                "Action": [
-                    "cloudtrail:CreateServiceLinkedChannel",
-                    "cloudtrail:DeleteServiceLinkedChannel",
-                    "cloudtrail:GetServiceLinkedChannel",
-                    "cloudtrail:UpdateServiceLinkedChannel"
-                ],
-                "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/security-lake/*"
-            },
-            {
-                "Sid": "AllowListServiceLinkedChannel",
-                "Effect": "Allow",
-                "Action": [
-                    "cloudtrail:ListServiceLinkedChannels"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Sid": "DescribeAnyVpc",
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:DescribeVpcs"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Sid": "ListDelegatedAdmins",
-                "Effect": "Allow",
-                "Action": [
-                    "organizations:ListDelegatedAdministrators"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "organizations:ServicePrincipal": "securitylake.amazonaws.com"
-                    }
-                }
-            },
-            {
-                "Sid": "AllowWafLoggingConfiguration",
-                "Effect": "Allow",
-                "Action": [
-                    "wafv2:PutLoggingConfiguration",
-                    "wafv2:GetLoggingConfiguration",
-                    "wafv2:ListLoggingConfigurations",
-                    "wafv2:DeleteLoggingConfiguration"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "wafv2:LogScope": "SecurityLake"
-                    }
-                }
-            },
-            {
-                "Sid": "AllowPutLoggingConfiguration",
-                "Effect": "Allow",
-                "Action": [
-                    "wafv2:PutLoggingConfiguration"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "ArnLike": {
-                        "wafv2:LogDestinationResource": "arn:aws:s3:::aws-waf-logs-security-lake-*"
-                    }
-                }
-            },
-            {
-                "Sid": "ListWebACLs",
-                "Effect": "Allow",
-                "Action": [
-                    "wafv2:ListWebACLs"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Sid": "LogDelivery",
-                "Effect": "Allow",
-                "Action": [
-                    "logs:CreateLogDelivery",
-                    "logs:DeleteLogDelivery"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "ForAnyValue:StringEquals": {
-                        "aws:CalledVia": [
-                            "wafv2.amazonaws.com"
-                        ]
-                    }
-                }
-            }
-            
-        ]
-    }
+To review the permissions for this policy, see [SecurityLakeServiceLinkedRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityLakeServiceLinkedRole.html) in the _AWS Managed Policy Reference Guide_.