AWS dms medium security documentation change
Summary
Updated IAM policy documentation to expand S3 bucket permissions for premigration assessments, modified resource conditions to use account-based constraints instead of tags, and added changelog entry for policy updates.
Security assessment
The change replaces tag-based resource conditions with account-based constraints (aws:ResourceAccount), reducing potential over-permission risks. It also adds explicit S3 bucket ARNs (dms-premigration-results-*) and restricts task permissions to specific ARNs, improving least-privilege adherence. The changelog explicitly states these updates relate to security policy expansions.
Diff
diff --git a/dms/latest/userguide/security-iam-awsmanpol.md b/dms/latest/userguide/security-iam-awsmanpol.md index d8c0e0759..ff06c5f69 100644 --- a//dms/latest/userguide/security-iam-awsmanpol.md +++ b//dms/latest/userguide/security-iam-awsmanpol.md @@ -92 +92 @@ JSON -This policy is attached to the `AWSServiceRoleForDMSServerless` role, which allows AWS DMS to perform actions on your behalf. For more information, see [Service-linked role for AWS DMS Serverless](./slr-services-sl.html). +This policy is attached to the `AWSServiceRoleForDMSServerless` role, which allows AWS DMS to perform actions on your behalf. For more information, see [Service-linked role for AWS DMS](./slr-services-sl.html). @@ -102 +102 @@ This policy includes the following permissions. - * **Amazon S3** – Allows S3 to create an S3 bucket to store a serverless premigration assessment. The serverless premigration assessment result will be stored with a `dms-severless-premigration-assessment-<UUID>` prefix. The S3 bucket is created for one user per Region and its bucket policy limits access to only the service's service role. + * **Amazon S3** – Allows DMS to create an S3 bucket to store a premigration assessment. The S3 bucket is created for one user per Region and its bucket policy limits access to only the service's service role. @@ -107,6 +106,0 @@ This policy includes the following permissions. -JSON - - -**** - - @@ -183 +177,2 @@ JSON - "arn:aws:s3:::dms-serverless-premigration-results-*" + "arn:aws:s3:::dms-serverless-premigration-results-*", + "arn:aws:s3:::dms-premigration-results-*" @@ -201 +196,2 @@ JSON - "arn:aws:s3:::dms-serverless-premigration-results-*" + "arn:aws:s3:::dms-serverless-premigration-results-*", + "arn:aws:s3:::dms-premigration-results-*" @@ -216 +212 @@ JSON - "*" + "arn:aws:dms:*:*:task:*" @@ -219,2 +215,2 @@ JSON - "StringEqualsIgnoreCase": { - "aws:ResourceTag/ResourceCreatedBy": "DMSServerless" + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" @@ -436,0 +432 @@ Change | Description | Date +AWSDMSServerlessServiceRolePolicy – Change | AWS DMS updated `AWSDMSServerlessServiceRolePolicy` to allow DMS to create S3 buckets and put premigration assessment results into those buckets for replication tasks not related to DMS serverless. | November 5, 2025