AWS cloudsearch documentation change
Summary
Removed multiple JSON policy examples related to CloudSearch IAM permissions and access control. Added a new JSON code block separator.
Security assessment
The changes remove specific IAM policy examples but do not explicitly address a security vulnerability or weakness. While IAM policies relate to security, the removal of examples appears to be documentation restructuring rather than addressing a concrete security issue.
Diff
diff --git a/cloudsearch/latest/developerguide/configuring-access.md b/cloudsearch/latest/developerguide/configuring-access.md index 8e7570ede..713b849d4 100644 --- a//cloudsearch/latest/developerguide/configuring-access.md +++ b//cloudsearch/latest/developerguide/configuring-access.md @@ -94,12 +93,0 @@ The following example shows how the ARN is used to specify the resource in a use - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["cloudsearch:search"], - "Resource": "arn:aws:cloudsearch:us-east-1:111122223333:domain/movies" - } - ] - } - @@ -177,13 +164,0 @@ The following user-based policy grants read-only access to the configuration ser - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["cloudsearch:Describe*", - "cloudsearch:List*"], - "Resource": "arn:aws:cloudsearch:us-east-1:555555555555:domain/movies" - } - ] - } - @@ -194,19 +168,0 @@ You can grant access to all Amazon CloudSearch configuration service actions by - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["cloudsearch:*"], - "Resource": "arn:aws:cloudsearch:us-west-2:111122223333:domain/*" - }, - { - "Effect": "Deny", - "Action": ["cloudsearch:document", - "cloudsearch:search", - "cloudsearch:suggest"], - "Resource": "arn:aws:cloudsearch:us-west-2:111122223333:domain/*" - } - ] - } - @@ -217,12 +172,0 @@ You can grant unrestricted access to all Amazon CloudSearch services, including - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["cloudsearch:*"], - "Resource": "arn:aws:cloudsearch:*:111122223333:domain/*" - } - ] - } - @@ -233,12 +176,0 @@ You can grant a user permission to upload documents to a search domain by specif - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["cloudsearch:document"], - "Resource": "arn:aws:cloudsearch:us-east-1:111122223333:domain/movies" - } - ] - } - @@ -258,12 +189,0 @@ This topic provides an example of the second option, adding a resource-based pol - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid":"search_only", - "Effect":"Allow", - "Action":["cloudsearch:search"], - "Principal":{"AWS":["arn:aws:iam::999999999999:root"]} - } - ] - } - @@ -271,0 +192,6 @@ This topic provides an example of the second option, adding a resource-based pol +JSON + + +**** + + @@ -304,14 +230,0 @@ For example, the following policy grants access to the search action for the `mo - - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid":"search_only", - "Effect":"Allow", - "Principal":"*", - "Action":["cloudsearch:search"], - "Condition":{"IpAddress":{"aws:SourceIp":"192.0.2.0/32"}} - } - ] - } - @@ -328,13 +240,0 @@ For example, the following policy grants public access to the search action for - - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid":"public_search", - "Effect":"Allow", - "Principal":"*", - "Action":["cloudsearch:search"] - } - ] - } -