AWS Security ChangesHomeSearch

AWS dms documentation change

Service: dms · 2025-10-13 · Documentation low

File: dms/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Added multiple IAM policy examples including tag-based access control and expanded service permissions

Security assessment

Adds security documentation showing how to implement resource-level permissions using tags (dms:endpoint-tag/Owner condition) and proper role passing constraints. Enhances security guidance but doesn't fix a specific vulnerability.

Diff

diff --git a/dms/latest/userguide/security_iam_id-based-policy-examples.md b/dms/latest/userguide/security_iam_id-based-policy-examples.md
index 8fd5c1450..b8aeee08b 100644
--- a//dms/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//dms/latest/userguide/security_iam_id-based-policy-examples.md
@@ -50,0 +51,79 @@ The following policy gives you access to AWS DMS, including the AWS DMS console,
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+         "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "dms:*",
+            "Resource": "arn:aws:dms:*:123456789012:*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:ListAliases",
+                "kms:DescribeKey"
+            ],
+            "Resource": "arn:aws:kms:*:123456789012:key/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:CreateRole",
+                "iam:AttachRolePolicy"
+            ],
+            "Resource": "arn:aws:iam::123456789012:role/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "iam:PassRole",
+            "Resource": "arn:aws:iam::123456789012:role/*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:PassedToService": "dms.amazonaws.com"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeVpcs",
+                "ec2:DescribeInternetGateways",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeSecurityGroups",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:CreateNetworkInterface",
+                "ec2:DeleteNetworkInterface"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cloudwatch:Get*",
+                "cloudwatch:List*"
+            ],
+        "Resource": "*"
+        },
+        {
+        "Effect": "Allow",
+        "Action": [
+            "logs:DescribeLogGroups",
+            "logs:DescribeLogStreams",
+            "logs:FilterLogEvents",
+            "logs:GetLogEvents"
+            ],
+        "Resource": "arn:aws:logs:*:123456789012:*"
+        }
+       ]
+    }
+    
+    
+
@@ -214,0 +294,25 @@ You can use conditions in your identity-based policy to control access to AWS DM
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "dms:*",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "dms:endpoint-tag/Owner": "${aws:username}"
+            }
+          }
+        }
+      ]
+    }
+    
+    
+