AWS Security ChangesHomeSearch

AWS dms medium security documentation change

Service: dms · 2025-11-13 · Security-related medium

File: dms/latest/userguide/security-iam-awsmanpol.md

Summary

Updated IAM policy documentation to expand S3 bucket permissions for premigration assessments, modified resource conditions to use account-based constraints instead of tags, and added changelog entry for policy updates.

Security assessment

The change replaces tag-based resource conditions with account-based constraints (aws:ResourceAccount), reducing potential over-permission risks. It also adds explicit S3 bucket ARNs (dms-premigration-results-*) and restricts task permissions to specific ARNs, improving least-privilege adherence. The changelog explicitly states these updates relate to security policy expansions.

Diff

diff --git a/dms/latest/userguide/security-iam-awsmanpol.md b/dms/latest/userguide/security-iam-awsmanpol.md
index d8c0e0759..ff06c5f69 100644
--- a//dms/latest/userguide/security-iam-awsmanpol.md
+++ b//dms/latest/userguide/security-iam-awsmanpol.md
@@ -92 +92 @@ JSON
-This policy is attached to the `AWSServiceRoleForDMSServerless` role, which allows AWS DMS to perform actions on your behalf. For more information, see [Service-linked role for AWS DMS Serverless](./slr-services-sl.html).
+This policy is attached to the `AWSServiceRoleForDMSServerless` role, which allows AWS DMS to perform actions on your behalf. For more information, see [Service-linked role for AWS DMS](./slr-services-sl.html).
@@ -102 +102 @@ This policy includes the following permissions.
-  * **Amazon S3** – Allows S3 to create an S3 bucket to store a serverless premigration assessment. The serverless premigration assessment result will be stored with a `dms-severless-premigration-assessment-<UUID>` prefix. The S3 bucket is created for one user per Region and its bucket policy limits access to only the service's service role.
+  * **Amazon S3** – Allows DMS to create an S3 bucket to store a premigration assessment. The S3 bucket is created for one user per Region and its bucket policy limits access to only the service's service role. 
@@ -107,6 +106,0 @@ This policy includes the following permissions.
-JSON
-    
-
-****
-    
-    
@@ -183 +177,2 @@ JSON
-    				"arn:aws:s3:::dms-serverless-premigration-results-*"
+                    "arn:aws:s3:::dms-serverless-premigration-results-*",
+                    "arn:aws:s3:::dms-premigration-results-*"
@@ -201 +196,2 @@ JSON
-    				"arn:aws:s3:::dms-serverless-premigration-results-*"
+                    "arn:aws:s3:::dms-serverless-premigration-results-*",
+                    "arn:aws:s3:::dms-premigration-results-*"
@@ -216 +212 @@ JSON
-    				"*"
+                    "arn:aws:dms:*:*:task:*"
@@ -219,2 +215,2 @@ JSON
-    				"StringEqualsIgnoreCase": {
-    					"aws:ResourceTag/ResourceCreatedBy": "DMSServerless"
+                    "StringEquals": {
+                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
@@ -436,0 +432 @@ Change | Description | Date
+AWSDMSServerlessServiceRolePolicy – Change |  AWS DMS updated `AWSDMSServerlessServiceRolePolicy` to allow DMS to create S3 buckets and put premigration assessment results into those buckets for replication tasks not related to DMS serverless. | November 5, 2025