AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-10-25 · Documentation medium

File: IAM/latest/UserGuide/access-analyzer-policy-generation.md

Summary

Added detailed JSON policy examples with organizational ID and principal ARN conditions

Security assessment

Provides security-focused policy examples demonstrating least-privilege patterns and organizational restrictions, but does not indicate remediation of a specific vulnerability.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-policy-generation.md b/IAM/latest/UserGuide/access-analyzer-policy-generation.md
index f8607fe18..6779f384a 100644
--- a//IAM/latest/UserGuide/access-analyzer-policy-generation.md
+++ b//IAM/latest/UserGuide/access-analyzer-policy-generation.md
@@ -368,0 +369,36 @@ The following example policy allows `ListBucket` and `GetObject` for the bucket
+JSON
+    
+
+****
+    
+    
+        {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "PolicyGenerationBucketPolicy",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "*"
+          },
+          "Action": [
+            "s3:GetObject",
+            "s3:ListBucket"
+          ],
+          "Resource": [
+            "arn:aws:s3:::amzn-s3-demo-bucket",
+            "arn:aws:s3:::amzn-s3-demo-bucket/optional-prefix/AWSLogs/organization-id/${aws:PrincipalAccount}/*"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "aws:PrincipalOrgID": "organization-id"
+            },
+            "ArnLike": {
+              "aws:PrincipalArn": "arn:aws:iam:::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
+            }
+          }
+        }
+      ]
+    }
+    
+
@@ -370,0 +407,36 @@ The following example policy allows `ListBucket` and `GetObject` for the bucket
+JSON
+    
+
+****
+    
+    
+        {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "*"
+          },
+          "Action": "kms:Decrypt",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "kms:EncryptionContext:aws:cloudtrail:arn": "CROSS_ACCOUNT_ORG_TRAIL_FULL_ARN",
+              "aws:PrincipalOrgID": "organization-id"
+            },
+            "StringLike": {
+              "kms:ViaService": [
+                "access-analyzer.*.amazonaws.com",
+                "s3.*.amazonaws.com"
+                ]
+            },
+            "ArnLike": {
+              "aws:PrincipalArn": "arn:aws:iam:::${aws:PrincipalAccount}:role/service-role/AccessAnalyzerMonitorServiceRole*"
+            }
+          }
+         }
+        ]
+    }
+    
+