AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-10-22 · Documentation medium

File: IAM/latest/UserGuide/access-analyzer-policy-generation.md

Summary

Added JSON section markers and removed example policies

Security assessment

The changes involve formatting adjustments (adding JSON section markers) and removal of specific policy examples. While policy examples relate to security configurations, there's no evidence this addresses a specific vulnerability or adds new security documentation.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-policy-generation.md b/IAM/latest/UserGuide/access-analyzer-policy-generation.md
index 2bbe91c79..f8607fe18 100644
--- a//IAM/latest/UserGuide/access-analyzer-policy-generation.md
+++ b//IAM/latest/UserGuide/access-analyzer-policy-generation.md
@@ -106,0 +107,6 @@ The first example policy shows the permissions policy for the service role that
+JSON
+    
+
+****
+    
+    
@@ -140,0 +148,6 @@ The following example policy shows the role trust policy with the permissions th
+JSON
+    
+
+****
+    
+    
@@ -158,0 +173,6 @@ To generate policies in the AWS Management Console, an IAM user must have a perm
+JSON
+    
+
+****
+    
+    
@@ -348,29 +368,0 @@ The following example policy allows `ListBucket` and `GetObject` for the bucket
-        {
-      "Version": "2012-10-17",		 	 	 
-      "Statement": [
-        {
-          "Sid": "PolicyGenerationBucketPolicy",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "*"
-          },
-          "Action": [
-            "s3:GetObject",
-            "s3:ListBucket"
-          ],
-          "Resource": [
-            "arn:aws:s3:::amzn-s3-demo-bucket",
-            "arn:aws:s3:::amzn-s3-demo-bucket/optional-prefix/AWSLogs/organization-id/${aws:PrincipalAccount}/*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:PrincipalOrgID": "organization-id"
-            },
-            "StringLike": {
-              "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
-            }
-          }
-        }
-      ]
-    }
-
@@ -379,27 +370,0 @@ The following example policy allows `ListBucket` and `GetObject` for the bucket
-        {
-      "Version": "2012-10-17",		 	 	 
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "*"
-          },
-          "Action": "kms:Decrypt",
-          "Resource": "*",
-          "Condition": {
-            "StringEquals": {
-              "kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN",
-              "aws:PrincipalOrgID": "organization-id"
-            },
-            "StringLike": {
-              "kms:ViaService": [
-                "access-analyzer.*.amazonaws.com",
-                "s3.*.amazonaws.com"
-              ],
-              "aws:PrincipalArn": "arn:aws:iam::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
-            }
-          }
-        }
-      ]
-    }
-