AWS Security ChangesHomeSearch

AWS tag-editor medium security documentation change

Service: tag-editor · 2025-10-25 · Security-related medium

File: tag-editor/latest/userguide/gettingstarted-prereqs-permissions.md

Summary

Added concrete IAM policy examples with specific ARN patterns for tag management permissions

Security assessment

The change provides specific, secure IAM policy examples demonstrating principle of least privilege through allowlist/denylist strategies with concrete resource ARNs, improving security guidance

Diff

diff --git a/tag-editor/latest/userguide/gettingstarted-prereqs-permissions.md b/tag-editor/latest/userguide/gettingstarted-prereqs-permissions.md
index 41c61a74f..f6bfc59d5 100644
--- a//tag-editor/latest/userguide/gettingstarted-prereqs-permissions.md
+++ b//tag-editor/latest/userguide/gettingstarted-prereqs-permissions.md
@@ -7,2 +6,0 @@ Permissions for individual services Permissions required to use the Tag Editor c
-AWS has moved Tag Editor tag management functionality from the AWS Resource Groups console to the AWS Resource Explorer console. With Resource Explorer, you can search and filter resources and then manage resource tags from a single console. To learn more about managing resource tags in Resource Explorer, review [Managing resources](https://docs.aws.amazon.com/resource-explorer/latest/userguide/managing-resources.html#arex_console_quickactions) in the Resource Explorer user guide. 
-
@@ -59,0 +58,6 @@ An allowlist strategy takes advantage of the fact that access is denied by defau
+JSON
+    
+
+****
+    
+    
@@ -66 +70,4 @@ An allowlist strategy takes advantage of the fact that access is denied by defau
-                "Resource": "_< ARNs of resources to allow tagging>_"
+                "Resource": [
+                    "arn:aws:ec2:us-east-1:444455556666:*",
+                    "arn:aws:s3:::amzn-s3-demo-bucket2"
+                    ]
@@ -72,0 +81,6 @@ Alternatively, you could use a denylist strategy that allows access to all resou
+JSON
+    
+
+****
+    
+    
@@ -79 +93,4 @@ Alternatively, you could use a denylist strategy that allows access to all resou
-                "Resource": "_< ARNs of resources to disallow tagging>_"
+                "Resource": [
+                    "arn:aws:ec2:us-east-1:123456789012:instance:*",
+                    "arn:aws:s3:::amzn-s3-demo-bucket3"
+                 ]
@@ -131,0 +150,6 @@ To add a policy for using AWS Resource Groups and Tag Editor to a role, do the f
+JSON
+    
+
+****
+    
+