AWS managedservices high security documentation change
Summary
Added new security controls 9.6 and 9.7 restricting IAM user permissions for SSPS services
Security assessment
The added controls explicitly address security risks by limiting IAM users with infrastructure-mutating permissions and policies attached to users. This directly mitigates potential privilege escalation and unauthorized access risks.
Diff
diff --git a/managedservices/latest/userguide/ams-sec-stand-controls.md b/managedservices/latest/userguide/ams-sec-stand-controls.md index cf8959d00..07c4d707b 100644 --- a//managedservices/latest/userguide/ams-sec-stand-controls.md +++ b//managedservices/latest/userguide/ams-sec-stand-controls.md @@ -186,0 +187,2 @@ ID | Technical standard +9.6 | SSPS that require IAM users with programmatic access (through access keys) and with any infrastructure-mutating permissions (write, permission management, or tagging) in the customer account must not be provisioned without risk acceptance. +9.7 | Policies created for SSPS services must not be attached to IAM users without risk acceptance.