AWS xray documentation change
Summary
Simplified explanations about IAM policy Action and Resource elements. Removed detailed discussions about permission-only actions, dependent actions, and NotResource element requirements.
Security assessment
The changes condense IAM policy documentation without introducing or modifying security controls. No evidence of addressing vulnerabilities - this is a documentation cleanup/streamlining. However, removing the note about required Resource/NotResource elements could marginally impact security awareness for policy authors.
Diff
diff --git a/xray/latest/devguide/security_iam_service-with-iam.md b/xray/latest/devguide/security_iam_service-with-iam.md index 8c3b968b1..302629492 100644 --- a//xray/latest/devguide/security_iam_service-with-iam.md +++ b//xray/latest/devguide/security_iam_service-with-iam.md @@ -46,3 +46 @@ Administrators can use AWS JSON policies to specify who has access to what. That -The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as _permission-only actions_ that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called _dependent actions_. - -Include actions in a policy to grant permissions to perform the associated operation. +The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. @@ -70,3 +68 @@ Administrators can use AWS JSON policies to specify who has access to what. That -The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). You can do this for actions that support a specific resource type, known as _resource-level permissions_. - -For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources. +The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (*) to indicate that the statement applies to all resources.