AWS datasync documentation change
Summary
Added documentation about VPC endpoint policies for DataSync API access control
Security assessment
Documents security feature (VPC endpoint policies) for restricting DataSync API operations through service endpoints. Enhances security documentation but does not fix a specific vulnerability.
Diff
diff --git a/datasync/latest/userguide/managing-access-overview.md b/datasync/latest/userguide/managing-access-overview.md index de3c8cb41..05a0e90c8 100644 --- a//datasync/latest/userguide/managing-access-overview.md +++ b//datasync/latest/userguide/managing-access-overview.md @@ -5 +5 @@ -DataSync resources and operationsUnderstanding resource ownershipManaging access to resourcesSpecifying policy elements: Actions, effects, resources, and principalsSpecifying conditions in a policy +DataSync resources and operationsUnderstanding resource ownershipManaging access to resourcesSpecifying policy elements: Actions, effects, resources, and principalsSpecifying conditions in a policyEndpoint policy @@ -26,0 +27,2 @@ An _account administrator_ is a user with administrator privileges in an AWS acc + * Creating an VPC endpoint policy + @@ -152,0 +155,38 @@ To express conditions, you use predefined condition keys. There are no condition +## Creating an VPC endpoint policy + +VPC endpoint policies help control access to DataSync API operations through DataSync VPC service endpoints and FIPS-enabled VPC service endpoints. VPC endpoint policies allow you to restrict specific DataSync API actions accessed through your VPC service endpoints, such as `CreateTask` or `StartTaskExecution`. + +An endpoint policy specifies the following information: + + * The principals that can perform actions. + + * The actions that can be performed. + + * The resources on which actions can be performed. + + + + +For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) + +###### Example policy + +The following is an example of a endpoint policy. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": [ + "datasync:CreateTask", + "datasync:StartTaskExecution", + "datasync:DescribeTask" + ], + "Resource": "arn:aws:datasync:us-east-1:123456789012:task/*" + } + ] + } +