AWS dms documentation change
Summary
Added multiple IAM policy examples including tag-based access control and expanded service permissions
Security assessment
Adds security documentation showing how to implement resource-level permissions using tags (dms:endpoint-tag/Owner condition) and proper role passing constraints. Enhances security guidance but doesn't fix a specific vulnerability.
Diff
diff --git a/dms/latest/userguide/security_iam_id-based-policy-examples.md b/dms/latest/userguide/security_iam_id-based-policy-examples.md index 8fd5c1450..b8aeee08b 100644 --- a//dms/latest/userguide/security_iam_id-based-policy-examples.md +++ b//dms/latest/userguide/security_iam_id-based-policy-examples.md @@ -50,0 +51,79 @@ The following policy gives you access to AWS DMS, including the AWS DMS console, +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "dms:*", + "Resource": "arn:aws:dms:*:123456789012:*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:ListAliases", + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:*:123456789012:key/*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:CreateRole", + "iam:AttachRolePolicy" + ], + "Resource": "arn:aws:iam::123456789012:role/*" + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::123456789012:role/*", + "Condition": { + "StringEquals": { + "iam:PassedToService": "dms.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVpcs", + "ec2:DescribeInternetGateways", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cloudwatch:Get*", + "cloudwatch:List*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:FilterLogEvents", + "logs:GetLogEvents" + ], + "Resource": "arn:aws:logs:*:123456789012:*" + } + ] + } + + + @@ -214,0 +294,25 @@ You can use conditions in your identity-based policy to control access to AWS DM +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "dms:*", + "Resource": "*", + "Condition": { + "StringEquals": { + "dms:endpoint-tag/Owner": "${aws:username}" + } + } + } + ] + } + + +