AWS AmazonECS documentation change
Summary
Added detailed IAM policy examples for ecsExternalInstanceRole, ecsTaskExecutionRole, Amazon Q Developer permissions, inline chat permissions, ecsEventsRole, and lifecycle event viewing permissions
Security assessment
The changes add explicit IAM policy documentation for various roles and services, which helps users implement proper access controls. While this improves security documentation, there's no evidence of addressing a specific vulnerability or security incident.
Diff
diff --git a/AmazonECS/latest/developerguide/console-permissions.md b/AmazonECS/latest/developerguide/console-permissions.md index 2d7b48fb8..db9bdf916 100644 --- a//AmazonECS/latest/developerguide/console-permissions.md +++ b//AmazonECS/latest/developerguide/console-permissions.md @@ -54,0 +55,32 @@ In order to choose an existing `ecsExternalInstanceRole`, you must have the `iam +The following policy contains the required permissions, and limits the actions to the `ecsExternalInstanceRole` role. + +JSON + + +**** + + + + { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:CreateInstanceProfile", + "iam:AddRoleToInstanceProfile", + "iam:ListInstanceProfilesForRole", + "iam:GetRole" + ], + "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" + }, + { + "Effect": "Allow", + "Action": ["iam:PassRole","ssm:CreateActivation"], + "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" + } + ] + } + + @@ -75,0 +108,24 @@ In order to choose an existing `ecsTaskExecutionRole`, you must have the `iam:Ge +The following policy contains the required permissions, and limits the actions to the `ecsTaskExecutionRole` role. + +JSON + + +**** + + + + { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:GetRole" + ], + "Resource": "arn:aws:iam::*:role/ecsTaskExecutionRole" + } + ] + } + + @@ -79,0 +136,19 @@ For Amazon Q Developer to provide recommendations in the Amazon ECS; console, yo +JSON + + +**** + + + + { + "Statement": [ + { + "Sid": "AmazonQDeveloperPermissions", + "Effect": "Allow", + "Action": ["codewhisperer:GenerateRecommendations"], + "Resource": "*" + } + ] + } + + @@ -81,0 +157,19 @@ To use inline chat in the Amazon ECS; console, you must enable the correct IAM p +JSON + + +**** + + + + { + "Statement": [ + { + "Sid": "AmazonQDeveloperInlineChatPermissions", + "Effect": "Allow", + "Action": ["q:SendMessage"], + "Resource": "*" + } + ] + } + + @@ -98,0 +193,23 @@ The following policy contains the required permissions, and limits the actions t +JSON + + +**** + + + + { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:GetRole", + "iam:PassRole" + ], + "Resource": "arn:aws:iam::*:role/ecsEventsRole" + } + ] + } + + @@ -128,0 +246,6 @@ Replace the `account`, `cluster-name`, and `service-name` with your values. +JSON + + +**** + + @@ -160,0 +285,23 @@ The following permissions are required to view the lifecycle events. Add the fol +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "events:DescribeRule", + "events:ListTargetsByRule", + "logs:DescribeLogGroups" + ], + "Resource": "*" + } + ] + } + +