AWS datasync documentation change
Summary
Removed inline IAM policy JSON definitions and replaced with links to AWS Managed Policy Reference documentation.
Security assessment
Change simplifies documentation maintenance by referencing centralized policy definitions rather than duplicating them. While IAM policies relate to security, this is a documentation structure change rather than a security update. No evidence of addressing vulnerabilities or adding new security guidance.
Diff
diff --git a/datasync/latest/userguide/security-iam-awsmanpol.md b/datasync/latest/userguide/security-iam-awsmanpol.md index b7f8235bf..f9d3af684 100644 --- a//datasync/latest/userguide/security-iam-awsmanpol.md +++ b//datasync/latest/userguide/security-iam-awsmanpol.md @@ -17,34 +17 @@ Additionally, AWS supports managed policies for job functions that span multiple -You can attach the `AWSDataSyncReadOnlyAccess` policy to your IAM identities. - -This policy grants read-only permissions for DataSync. - -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [{ - "Sid": "DataSyncReadOnlyAccessPermissions", - "Effect": "Allow", - "Action": [ - "datasync:Describe*", - "datasync:List*", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargets", - "fsx:DescribeFileSystems", - "iam:GetRole", - "iam:ListRoles", - "logs:DescribeLogGroups", - "logs:DescribeResourcePolicies", - "s3:ListAllMyBuckets", - "s3:ListBucket" - ], - "Resource": "*" - }] - } +You can attach the `AWSDataSyncReadOnlyAccess` policy to your IAM identities. This policy grants read-only permissions for DataSync. @@ -51,0 +19 @@ JSON +To view the permissions for this policy, see [AWSDataSyncReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataSyncReadOnlyAccess.html) in the _AWS Managed Policy Reference_ . @@ -55,114 +23 @@ JSON -You can attach the `AWSDataSyncFullAccess` policy to your IAM identities. - -This policy grants administrative permissions for DataSync and is required for AWS Management Console access to the service. `AWSDataSyncFullAccess` provides full access to DataSync API operations and the operations that interact with related resources (such as Amazon S3 buckets, Amazon EFS file systems, AWS KMS keys, and Secrets Manager secrets). The policy also grants permissions for Amazon CloudWatch, including creating log groups and creating or updating a resource policy. - -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [{ - "Sid": "DataSyncFullAccessPermissions", - "Effect": "Allow", - "Action": [ - "datasync:*", - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeRegions", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:ModifyNetworkInterfaceAttribute", - "fsx:DescribeFileSystems", - "fsx:DescribeStorageVirtualMachines", - "elasticfilesystem:DescribeAccessPoints", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargets", - "iam:GetRole", - "iam:ListRoles", - "logs:CreateLogGroup", - "logs:DescribeLogGroups", - "logs:DescribeResourcePolicies", - "outposts:ListOutposts", - "s3:GetBucketLocation", - "s3:ListAllMyBuckets", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3-outposts:ListAccessPoints", - "s3-outposts:ListRegionalBuckets", - "secretsmanager:ListSecrets", - "kms:ListAliases", - "kms:DescribeKey" - ], - "Resource": "*" - }, - { - "Sid": "DataSyncPassRolePermissions", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:PassedToService": [ - "datasync.amazonaws.com" - ] - } - } - }, - { - "Sid": "DataSyncCreateSLRPermissions", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/datasync.amazonaws.com/AWSServiceRoleForDataSync", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "datasync.amazonaws.com" - } - } - }, - { - "Sid": "DataSyncSecretsManagerCreateAccess", - "Effect": "Allow", - "Action": [ - "secretsmanager:CreateSecret" - ], - "Resource": [ - "arn:*:secretsmanager:*:*:secret:aws-datasync!*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - }, - { - "Sid": "DataSyncSecretsManagerAccess", - "Effect": "Allow", - "Action": [ - - "secretsmanager:DeleteSecret", - "secretsmanager:UpdateSecret", - "secretsmanager:PutSecretValue" - ], - "Resource": [ - "arn:aws:secretsmanager:*:*:secret:aws-datasync!*" - ], - "Condition": { - "StringEquals": { - "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "aws-datasync", - "aws:ResourceAccount": "${aws:PrincipalAccount}" - } - } - } - ] - } +You can attach the `AWSDataSyncFullAccess` policy to your IAM identities. This policy grants administrative permissions for DataSync and is required for AWS Management Console access to the service. `AWSDataSyncFullAccess` provides full access to DataSync API operations and the operations that interact with related resources (such as Amazon S3 buckets, Amazon EFS file systems, AWS KMS keys, and Secrets Manager secrets). The policy also grants permissions for Amazon CloudWatch, including creating log groups and creating or updating a resource policy. @@ -169,0 +25 @@ JSON +To view the permissions for this policy, see [AWSDataSyncFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDataSyncFullAccess.html) in the _AWS Managed Policy Reference_ .