AWS Security ChangesHomeSearch

AWS resilience-hub documentation change

Service: resilience-hub · 2025-10-25 · Documentation medium

File: resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md

Summary

Removed detailed S3/KMS bucket policy examples and replaced with placeholder markers

Security assessment

Structural change to policy documentation. Removal of explicit examples could increase misconfiguration risk but doesn't fix a known vulnerability.

Diff

diff --git a/resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md b/resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md
index 54f5f10c6..1a445c220 100644
--- a//resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md
+++ b//resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md
@@ -19,22 +18,0 @@ The following Amazon S3 bucket policy and IAM policy are required to allow AWS R
-        {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>"
-          },
-          "Action": "s3:GetObject",
-          "Resource": "arn:aws:s3:::<s3-bucket-name>/<path-to-state-file>"
-        },
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>"
-          },
-          "Action": "s3:ListBucket",
-          "Resource": "arn:aws:s3:::<s3-bucket-name>"
-        }
-      ]
-    }
-
@@ -42,0 +21,6 @@ The following Amazon S3 bucket policy and IAM policy are required to allow AWS R
+JSON
+    
+
+****
+    
+    
@@ -83,22 +67,0 @@ If your Terraform state files are encrypted using KMS, you must add the followin
-         {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>"
-          },
-          "Action": "s3:GetObject",
-          "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>/<path-to-state-file>"
-        },
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>"
-          },
-          "Action": "s3:ListBucket",
-          "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>"
-        }
-      ]
-    }
-
@@ -107,22 +69,0 @@ If your Terraform state files are encrypted using KMS, you must add the followin
-        {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>"
-          },
-          "Action": "s3:GetObject",
-          "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>/<path-to-state-file>"
-        },
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>"
-          },
-          "Action": "s3:ListBucket",
-          "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>"
-        }
-      ]
-    }
-