AWS dms documentation change
Summary
Added a detailed IAM policy example granting AWS DMS permissions along with related KMS, IAM role management, EC2 networking, CloudWatch, and CloudWatch Logs permissions
Security assessment
The change adds security documentation by providing a comprehensive IAM policy example that follows least-privilege principles (e.g., using Condition blocks for iam:PassRole). While security-related, there's no evidence this addresses a specific vulnerability.
Diff
diff --git a/dms/latest/userguide/security-iam.md b/dms/latest/userguide/security-iam.md index 4fad19785..9bffd4984 100644 --- a//dms/latest/userguide/security-iam.md +++ b//dms/latest/userguide/security-iam.md @@ -157,0 +158,76 @@ You can further restrict access to AWS DMS resources using tagging. For more inf +JSON + + +**** + + + + { + + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "dms:*", + "Resource": "arn:aws:dms:*:123456789012:*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:ListAliases", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:*:123456789012:key/*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:PassRole", + "iam:CreateRole", + "iam:AttachRolePolicy" + ], + "Resource": "arn:aws:iam::123456789012:role/*", + "Condition": { + "StringEquals": { + "iam:PassedToService": "dms.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeInternetGateways", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cloudwatch:Get*", + "cloudwatch:List*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:FilterLogEvents", + "logs:GetLogEvents" + ], + "Resource": "arn:aws:logs:*:123456789012:*" + } + ] + } + + +