AWS resilience-hub documentation change
Summary
Removed detailed S3/KMS bucket policy examples and replaced with placeholder markers
Security assessment
Structural change to policy documentation. Removal of explicit examples could increase misconfiguration risk but doesn't fix a known vulnerability.
Diff
diff --git a/resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md b/resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md index 54f5f10c6..1a445c220 100644 --- a//resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md +++ b//resilience-hub/latest/userguide/security-iam-resilience-hub-terraform-secondary.md @@ -19,22 +18,0 @@ The following Amazon S3 bucket policy and IAM policy are required to allow AWS R - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>" - }, - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::<s3-bucket-name>/<path-to-state-file>" - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>" - }, - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::<s3-bucket-name>" - } - ] - } - @@ -42,0 +21,6 @@ The following Amazon S3 bucket policy and IAM policy are required to allow AWS R +JSON + + +**** + + @@ -83,22 +67,0 @@ If your Terraform state files are encrypted using KMS, you must add the followin - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>" - }, - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>/<path-to-state-file>" - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>" - }, - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>" - } - ] - } - @@ -107,22 +69,0 @@ If your Terraform state files are encrypted using KMS, you must add the followin - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>" - }, - "Action": "s3:GetObject", - "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>/<path-to-state-file>" - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::<primary-account>:role/<invoker-role-or-current-iam-role>" - }, - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::<bucket-with-statefile-in-secondary-account>" - } - ] - } -