AWS ARG documentation change
Summary
Condensed explanations of IAM policy elements (Action, Resource, Condition). Removed details about policy exceptions, dependent actions, resource-level permissions, and logical operations in condition blocks.
Security assessment
The changes streamline policy documentation but remove nuanced guidance (e.g., resource-level permissions, logical AND/OR in conditions). While this could lead to misconfigurations if users overlook best practices, there is no explicit evidence of a security vulnerability being addressed. The changes reduce verbosity rather than directly adding or mitigating security features.
Diff
diff --git a/ARG/latest/userguide/security_iam_service-with-iam.md b/ARG/latest/userguide/security_iam_service-with-iam.md index dd254811c..dba0217ca 100644 --- a//ARG/latest/userguide/security_iam_service-with-iam.md +++ b//ARG/latest/userguide/security_iam_service-with-iam.md @@ -32,3 +32 @@ Administrators can use AWS JSON policies to specify who has access to what. That -The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as _permission-only actions_ that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called _dependent actions_. - -Include actions in a policy to grant permissions to perform the associated operation. +The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. @@ -59,3 +57 @@ Administrators can use AWS JSON policies to specify who has access to what. That -The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). You can do this for actions that support a specific resource type, known as _resource-level permissions_. - -For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources. +The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (*) to indicate that the statement applies to all resources. @@ -102,7 +98 @@ Administrators can use AWS JSON policies to specify who has access to what. That -The `Condition` element (or `Condition` _block_) lets you specify conditions in which a statement is in effect. The `Condition` element is optional. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. - -If you specify multiple `Condition` elements in a statement, or multiple keys in a single `Condition` element, AWS evaluates them using a logical `AND` operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical `OR` operation. All of the conditions must be met before the statement's permissions are granted. - -You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see [IAM policy elements: variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _IAM User Guide_. - -AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the _IAM User Guide_. +The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the _IAM User Guide_.