AWS cloudshell documentation change
Summary
Restructured policy examples and added JSON formatting placeholders for VPC/subnet/SG access control documentation
Security assessment
Changes focus on improving presentation of security-related IAM policies for VPC access control, but don't address specific vulnerabilities. The modifications enhance documentation about existing security features (network resource restrictions) without evidence of patching vulnerabilities.
Diff
diff --git a/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md b/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md index 3fd9d78ff..c9bf87c88 100644 --- a//cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md +++ b//cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.md @@ -49,0 +50,6 @@ The following example displays how to enable full permissions, including access +JSON + + +**** + + @@ -217,0 +225 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of +To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`: @@ -219,21 +227 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "EnforceOutOfVpc", - "Action": [ - "cloudshell:CreateEnvironment" - ], - "Effect": "Deny", - "Resource": "*", - "Condition": { - "StringEquals": { - "cloudshell:VpcIds": [ - "vpc-1", - "vpc-2" - ] - } - } - } - ] - } +To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`: @@ -241 +229 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of -To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example denies users access to `subnet-1` and `subnet-2`: +JSON @@ -244,21 +232 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "EnforceOutOfSubnet", - "Action": [ - "cloudshell:CreateEnvironment" - ], - "Effect": "Deny", - "Resource": "*", - "Condition": { - "StringEquals": { - "cloudshell:SubnetIds": [ - "subnet-1", - "subnet-2" - ] - } - } - } - ] - } +**** @@ -266 +233,0 @@ To deny users access to specific VPCs, use `StringEquals` to check the value of -To deny users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SecurityGroupIds` condition. The following example denies users access to `sg-1` and `sg-2`: @@ -294,0 +263 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of +To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`: @@ -296,21 +265,4 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "EnforceStayInSpecificVpc", - "Action": [ - "cloudshell:CreateEnvironment" - ], - "Effect": "Allow", - "Resource": "*", - "Condition": { - "StringEquals": { - "cloudshell:VpcIds": [ - "vpc-1", - "vpc-2" - ] - } - } - } - ] - } +JSON + + +**** @@ -318 +269,0 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of -To allow users access to specific VPCs, use `StringEquals` to check the value of the `cloudshell:SubnetIds` condition. The following example allows users access to `subnet-1` and `subnet-2`: @@ -344,0 +297,6 @@ To allow users access to specific VPCs, use `StringEquals` to check the value of +JSON + + +**** + +