AWS IAM documentation change
Summary
Added detailed JSON policy examples with organizational ID and principal ARN conditions
Security assessment
Provides security-focused policy examples demonstrating least-privilege patterns and organizational restrictions, but does not indicate remediation of a specific vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-policy-generation.md b/IAM/latest/UserGuide/access-analyzer-policy-generation.md index f8607fe18..6779f384a 100644 --- a//IAM/latest/UserGuide/access-analyzer-policy-generation.md +++ b//IAM/latest/UserGuide/access-analyzer-policy-generation.md @@ -368,0 +369,36 @@ The following example policy allows `ListBucket` and `GetObject` for the bucket +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "PolicyGenerationBucketPolicy", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket", + "arn:aws:s3:::amzn-s3-demo-bucket/optional-prefix/AWSLogs/organization-id/${aws:PrincipalAccount}/*" + ], + "Condition": { + "StringEquals": { + "aws:PrincipalOrgID": "organization-id" + }, + "ArnLike": { + "aws:PrincipalArn": "arn:aws:iam:::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*" + } + } + } + ] + } + + @@ -370,0 +407,36 @@ The following example policy allows `ListBucket` and `GetObject` for the bucket +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "kms:Decrypt", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN", + "aws:PrincipalOrgID": "organization-id" + }, + "StringLike": { + "kms:ViaService": [ + "access-analyzer.*.amazonaws.com", + "s3.*.amazonaws.com" + ] + }, + "ArnLike": { + "aws:PrincipalArn": "arn:aws:iam:::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*" + } + } + } + ] + } + +