AWS Security ChangesHomeSearch

AWS iotanalytics documentation change

Service: iotanalytics · 2025-10-25 · Documentation low

File: iotanalytics/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Updated IAM policy resource ARNs to include region/account wildcards and corrected example placeholders.

Security assessment

Adjusts policies to use broader wildcards (e.g., arn:aws:iotanalytics:*:*:*) for scalability but does not fix a security flaw. Enhances security policy documentation.

Diff

diff --git a/iotanalytics/latest/userguide/security_iam_id-based-policy-examples.md b/iotanalytics/latest/userguide/security_iam_id-based-policy-examples.md
index 00081dd6a..0270a9ef1 100644
--- a//iotanalytics/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//iotanalytics/latest/userguide/security_iam_id-based-policy-examples.md
@@ -50,0 +51,6 @@ To ensure that those entities can still use the AWS IoT Analytics console, also
+JSON
+    
+
+****
+    
+    
@@ -93,4 +99,4 @@ To ensure that those entities can still use the AWS IoT Analytics console, also
-                 "Resource": "arn:${Partition}:iotanalytics:${Region}:${Account}:channel/${channelName}",
-                 "Resource": "arn:${Partition}:iotanalytics:${Region}:${Account}:dataset/${datasetName}",
-                 "Resource": "arn:${Partition}:iotanalytics:${Region}:${Account}:datastore/${datastoreName}",
-                 "Resource": "arn:${Partition}:iotanalytics:${Region}:${Account}:pipeline/${pipelineName}"
+                 "Resource": "arn:aws:iotanalytics:us-east-1:123456789012:channel/your-channel-name",
+                 "Resource": "arn:aws:iotanalytics:us-east-1:123456789012:dataset/your-datasetName",
+                 "Resource": "arn:aws:iotanalytics:us-east-1:123456789012:datastore/your-datastoreName",
+                 "Resource": "arn:aws:iotanalytics:us-east-1:123456789012:pipeline/your-pipelineName"
@@ -106,0 +114,6 @@ This example shows how you might create a policy that allows users to view the i
+JSON
+    
+
+****
+    
+    
@@ -122 +135 @@ This example shows how you might create a policy that allows users to view the i
-                    "arn:aws:iam::*:user/${aws:username}"
+                    "arn:aws:iam:*:*:user/username"
@@ -148,0 +163,6 @@ The policy grants the `iotanalytics:ListChannels, iotanalytics:DescribeChannel,
+JSON
+    
+
+****
+    
+    
@@ -159 +179 @@ The policy grants the `iotanalytics:ListChannels, iotanalytics:DescribeChannel,
-             "Resource":"arn:aws:iotanalytics:::*"
+             "Resource":"arn:aws:iotanalytics:*:*:*"
@@ -167 +187 @@ The policy grants the `iotanalytics:ListChannels, iotanalytics:DescribeChannel,
-             "Resource":"arn:aws:iotanalytics:::exampleChannel"
+             "Resource":"arn:aws:iotanalytics:*:*:exampleChannel"
@@ -179 +199 @@ The policy grants the `iotanalytics:ListChannels, iotanalytics:DescribeChannel,
-             "Resource":"arn:aws:iotanalytics:::exampleChannel/*"
+             "Resource":"arn:aws:iotanalytics:*:*:exampleChannel/*"
@@ -187,0 +209,6 @@ You can use conditions in your identity-based policy to control access to AWS Io
+JSON
+    
+
+****
+    
+