AWS Security ChangesHomeSearch

AWS firehose medium security documentation change

Service: firehose · 2025-10-22 · Security-related medium

File: firehose/latest/dev/controlling-access.md

Summary

Updated IAM policy examples and documentation structure for MSK cluster permissions, Glue schema access, and general policy formatting. Added explicit JSON syntax, removed redundant policies, and corrected resource ARN specificity.

Security assessment

Changes enforce least-privilege principles by replacing wildcard resource ARNs (*) with specific Glue catalog/database/table ARNs in policies. Fixed invalid JSON syntax (e.g., 'actions' instead of 'Action') that could lead to misconfigured policies. Added explicit KMS encryption context conditions to restrict key usage. These changes prevent insecure configurations that could expose resources.

Diff

diff --git a/firehose/latest/dev/controlling-access.md b/firehose/latest/dev/controlling-access.md
index da7f6f1e5..f05719f22 100644
--- a//firehose/latest/dev/controlling-access.md
+++ b//firehose/latest/dev/controlling-access.md
@@ -65,0 +66,6 @@ To give your application access to your Firehose stream, use a policy similar to
+JSON
+    
+
+****
+    
+    
@@ -89,19 +95,0 @@ If the source of your Firehose stream is a private Amazon MSK cluster, then use
-    
-    {
-      "Version": "2012-10-17", 		 	 	 
-      "Statement": [
-        {
-          "Principal": {
-            "Service": [
-              "firehose.amazonaws.com"
-            ]
-        },
-        "Effect": "Allow",
-        "Action": [
-          "kafka:CreateVpcConnection"
-        ],
-        "Resource": "cluster-arn"
-        }
-      ]
-    }
-
@@ -119,0 +108,3 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
+If you choose Amazon MSK as the source for your Firehose stream, you must specify another IAM role that grants Amazon Data Firehose permissions to ingest source data from the specified Amazon MSK cluster. Make sure that the following trust policies are attached to that role so that Amazon Data Firehose can assume it.
+
+JSON
@@ -121,11 +111,0 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
-    {
-    	"Version": "2012-10-17", 		 	 	 
-    	"Statement": [{
-    		"Sid": "",
-    		"Effect": "Allow",
-    		"Principal": {
-    			"Service": "firehose.amazonaws.com"
-    		},
-    		"Action": "sts:AssumeRole",
-    	}]
-    }
@@ -133 +113,2 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
-If you choose Amazon MSK as the source for your Firehose stream, you must specify another IAM role that grants Amazon Data Firehose permissions to ingest source data from the specified Amazon MSK cluster. Make sure that the following trust policies are attached to that role so that Amazon Data Firehose can assume it.
+****
+    
@@ -152,25 +132,0 @@ If you choose Amazon MSK as the source for your Firehose stream, you must specif
-Make sure that this role that grants Amazon Data Firehose permissions to ingest source data from the specified Amazon MSK cluster grants the following permissions: 
-    
-    
-    {
-       "Version": "2012-10-17", 		 	 	       
-       "Statement": [{
-            "Effect":"Allow",
-            "Action": [
-               "kafka:GetBootstrapBrokers",
-               "kafka:DescribeCluster",
-               "kafka:DescribeClusterV2",
-               "kafka-cluster:Connect"
-             ],
-             "Resource": "CLUSTER-ARN"
-           },
-           {
-             "Effect":"Allow",
-             "Action": [
-               "kafka-cluster:DescribeTopic",
-               "kafka-cluster:DescribeTopicDynamicConfiguration",
-               "kafka-cluster:ReadData"
-             ],
-             "Resource": "TOPIC-ARN"
-           }]
-    }
@@ -177,0 +134 @@ Make sure that this role that grants Amazon Data Firehose permissions to ingest
+Make sure that this role that grants Amazon Data Firehose permissions to ingest source data from the specified Amazon MSK cluster grants the following permissions: 
@@ -184 +141,2 @@ If your Firehose stream performs data-format conversion, Amazon Data Firehose re
-    [{
+    {
+        "Sid": "",
@@ -191,9 +149,11 @@ If your Firehose stream performs data-format conversion, Amazon Data Firehose re
-        "Resource": "table-arn"
-    }, {
-        "Sid": "GetSchemaVersion",
-        "Effect": "Allow",
-        "Action": [
-            "glue:GetSchemaVersion"
-        ],
-        "Resource": ["*"]
-    }]
+        "Resource": [
+            "arn:aws:glue:us-east-1:123456789012:catalog",
+            "arn:aws:glue:us-east-1:123456789012:database/b",
+            "arn:aws:glue:us-east-1:123456789012:table/b/easd"
+        ]
+    },
+    {
+          actions: ['glue:GetSchemaVersion'],
+          grantee: options.role,
+          resourceArns: ['*'],
+    }
@@ -208,0 +169,6 @@ Use the following access policy to enable Amazon Data Firehose to access your S3
+JSON
+    
+
+****
+    
+    
@@ -323,0 +291,6 @@ Create a policy and choose **JSON** in the policy editor. Add the following inli
+JSON
+    
+
+****
+    
+    
@@ -442,83 +415,0 @@ You must have an IAM role before you create a Firehose stream and Apache Iceberg
-        {
-        "Version": "2012-10-17", 		 	 	   
-        "Statement":
-        [    
-            {      
-                "Effect": "Allow",      
-                "Action": [
-                    "glue:GetTable",
-                    "glue:GetDatabase",
-                    "glue:UpdateTable"
-                ],      
-                "Resource": [   
-                    "arn:aws:glue:us-east-1:123456789012>:catalog",
-                    "arn:aws:glue:us-east-1:123456789012>:database/*",
-                    "arn:aws:glue:us-east-1:123456789012>:table/*/*"             
-                ]    
-            },        
-            {      
-                "Effect": "Allow",      
-                "Action": [
-                    "s3:AbortMultipartUpload",
-                    "s3:GetBucketLocation",
-                    "s3:GetObject",
-                    "s3:ListBucket",
-                    "s3:ListBucketMultipartUploads",
-                    "s3:PutObject",
-                    "s3:DeleteObject"
-                ],      
-                "Resource": [   
-                    "arn:aws::s3:::amzn-s3-demo-bucket",
-                    "arn:aws:s3:::amzn-s3-demo-bucket/*"              
-                ]    
-            },      
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "kinesis:DescribeStream",
-                    "kinesis:GetShardIterator",
-                    "kinesis:GetRecords",
-                    "kinesis:ListShards"
-                ],
-                "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/<stream-name>"
-            },
-            {
-               "Effect": "Allow",
-               "Action": [
-                   "kms:Decrypt",
-                   "kms:GenerateDataKey"
-               ],
-               "Resource": [
-                   "arn:aws:kms:us-east-1:<123456789012:key/<key-id>"           
-               ],
-               "Condition": {
-                   "StringEquals": {
-                       "kms:ViaService": "s3.region.amazonaws.com"
-                   },
-                   "StringLike": {
-                       "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket/prefix*"
-                   }
-               }
-            },
-            {
-               "Effect": "Allow",
-               "Action": [
-                   "logs:PutLogEvents"
-               ],
-               "Resource": [
-                   "arn:aws:logs:us-east-1:123456789012>:log-group:<log-group-name>:log-stream:<log-stream-name>"
-               ]
-            },
-            {
-               "Effect": "Allow", 
-               "Action": [
-                   "lambda:InvokeFunction", 
-                   "lambda:GetFunctionConfiguration" 
-               ],
-               "Resource": [
-                   "arn:aws:lambda:us-east-1:123456789012>:function:<function-name>:<function-version>"
-               ]
-            }
-        ]