AWS proton documentation change
Summary
Added detailed IAM policy example with CloudFormation/S3 permissions
Security assessment
Added example demonstrating security best practices with AWS:CalledVia condition to limit privilege escalation. Proactively guides secure policy creation without addressing existing vulnerabilities.
Diff
diff --git a/proton/latest/userguide/ag-components-example-cfn.md b/proton/latest/userguide/ag-components-example-cfn.md index a9bf936b0..718177243 100644 --- a//proton/latest/userguide/ag-components-example-cfn.md +++ b//proton/latest/userguide/ag-components-example-cfn.md @@ -24,0 +25,53 @@ For this example, use the following policy: +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "cloudformation:CancelUpdateStack", + "cloudformation:CreateChangeSet", + "cloudformation:DeleteChangeSet", + "cloudformation:DescribeStacks", + "cloudformation:ContinueUpdateRollback", + "cloudformation:DetectStackResourceDrift", + "cloudformation:DescribeStackResourceDrifts", + "cloudformation:DescribeStackEvents", + "cloudformation:CreateStack", + "cloudformation:DeleteStack", + "cloudformation:UpdateStack", + "cloudformation:DescribeChangeSet", + "cloudformation:ExecuteChangeSet", + "cloudformation:ListChangeSets", + "cloudformation:ListStackResources" + ], + "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:GetBucket*", + "iam:CreatePolicy", + "iam:DeletePolicy", + "iam:GetPolicy", + "iam:ListPolicyVersions", + "iam:DeletePolicyVersion" + ], + "Resource": "*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:CalledVia": "cloudformation.amazonaws.com" + } + } + } + ] + } + + @@ -94 +147 @@ The example shows how to write a robust service template that doesn't break if a - Type: 'AWS::S3::Bucket' + Type: AWS::S3::Bucket