AWS amplify medium security documentation change
Summary
Updated references from 'AWS CloudFormation' to 'CloudFormation' for consistency, and added/modified IAM policy permissions including S3 Block Public Access enforcement
Security assessment
The change adds `s3:PutBucketPublicAccessBlock` permission to enforce Amazon S3 Block Public Access - a security best practice. This directly addresses security by preventing unintended public access to S3 buckets. Other changes are terminology updates without security implications.
Diff
diff --git a/amplify/latest/userguide/security-iam-awsmanpol.md b/amplify/latest/userguide/security-iam-awsmanpol.md index 2d397082b..97ad6a2f8 100644 --- a//amplify/latest/userguide/security-iam-awsmanpol.md +++ b//amplify/latest/userguide/security-iam-awsmanpol.md @@ -45 +45 @@ This policy includes permissions to do the following . - * `AWS CloudFormation`– Create, update, and delete Amplify managed stacks. + * `CloudFormation`– Create, update, and delete Amplify managed stacks. @@ -81 +81 @@ AmplifyBackendDeployFullAccess – Update to an existing policy | Add the `clou -AdministratorAccess-Amplify – Update to an existing policy | Add the `cloudformation:TagResource` and `cloudformation:UnTagResource` permissions to support calls to AWS CloudFormation APIs. | April 4, 2024 +AdministratorAccess-Amplify – Update to an existing policy | Add the `cloudformation:TagResource` and `cloudformation:UnTagResource` permissions to support calls to CloudFormation APIs. | April 4, 2024 @@ -87 +87 @@ AdministratorAccess-Amplify – Update to an existing policy | Add the `ecr:Desc -AdministratorAccess-Amplify – Update to an existing policy | Add a policy action to support removing tags from an AWS AppSync resource. Add a policy action to support the Amazon Polly resource. Add a policy action to support updating the OpenSearch domain configuration. Add a policy action to support removing tags from an AWS Identity and Access Management role. Add a policy action to support removing tags from an Amazon DynamoDB resource. Add the `cloudfront:GetCloudFrontOriginAccessIdentity` and `cloudfront:GetCloudFrontOriginAccessIdentityConfig` permissions to the `CLISDKCalls` statement block to support the Amplify publish and hosting workflows. Add the `s3:PutBucketPublicAccessBlock` permission to the `CLIManageviaCFNPolicy` statement block to allow the AWS CLI to support the Amazon S3 security best practice of enabling the Amazon S3 Block Public Access feature on internal buckets. Add the `cloudformation:DescribeStacks` permission to the `CLISDKCalls` statement block to support retrieving customers’ AWS CloudFormation stacks on retries in the Amplify backend processor to avoid duplicating executions if a stack is updating. Add the `cloudformation:ListStacks` permission to the `CLICloudformationPolicy` statement block. This permission is required to fully support the CloudFormation DescribeStacks action. | February 24, 2023 +AdministratorAccess-Amplify – Update to an existing policy | Add a policy action to support removing tags from an AWS AppSync resource. Add a policy action to support the Amazon Polly resource. Add a policy action to support updating the OpenSearch domain configuration. Add a policy action to support removing tags from an AWS Identity and Access Management role. Add a policy action to support removing tags from an Amazon DynamoDB resource. Add the `cloudfront:GetCloudFrontOriginAccessIdentity` and `cloudfront:GetCloudFrontOriginAccessIdentityConfig` permissions to the `CLISDKCalls` statement block to support the Amplify publish and hosting workflows. Add the `s3:PutBucketPublicAccessBlock` permission to the `CLIManageviaCFNPolicy` statement block to allow the AWS CLI to support the Amazon S3 security best practice of enabling the Amazon S3 Block Public Access feature on internal buckets. Add the `cloudformation:DescribeStacks` permission to the `CLISDKCalls` statement block to support retrieving customers’ CloudFormation stacks on retries in the Amplify backend processor to avoid duplicating executions if a stack is updating. Add the `cloudformation:ListStacks` permission to the `CLICloudformationPolicy` statement block. This permission is required to fully support the CloudFormation DescribeStacks action. | February 24, 2023 @@ -93,2 +93,2 @@ AdministratorAccess-Amplify – Update to an existing policy | Add policy actio -AdministratorAccess-Amplify – Update to an existing policy | Add Amazon Lex actions to support the Amplify Interactions category. Add Amazon Rekognition actions to support the Amplify Predictions category. Add an Amazon Cognito action to support MFA configuration on Amazon Cognito user pools. Add CloudFormation actions to support AWS CloudFormation StackSets. Add Amazon Location Service actions to support the Amplify Geo category. Add a Lambda action to support Lambda layers in Amplify. Add CloudWatch Logs actions to support CloudWatch Events. Add Amazon S3 actions to support the Amplify Storage category. Add policy actions to support server-side rendered (SSR) apps. | September 27, 2021 -AdministratorAccess-Amplify – Update to an existing policy | Consolidate all Amplify actions into a single `amplify:*` action. Add an Amazon S3 action to support encrypting customer Amazon S3 buckets. Add IAM permission boundary actions to support Amplify apps that have permission boundaries enabled. Add Amazon SNS actions to support viewing origination phone numbers, and viewing, creating, verifying, and deleting destination phone numbers. Amplify Studio: Add Amazon Cognito, AWS Lambda, IAM, and AWS CloudFormation policy actions to enable managing backends in the Amplify console and Amplify Studio. Add an AWS Systems Manager (SSM) policy statement to manage Amplify environment secrets. Add an AWS CloudFormation `ListResources` action to support Lambda layers for Amplify apps. | July 28, 2021 +AdministratorAccess-Amplify – Update to an existing policy | Add Amazon Lex actions to support the Amplify Interactions category. Add Amazon Rekognition actions to support the Amplify Predictions category. Add an Amazon Cognito action to support MFA configuration on Amazon Cognito user pools. Add CloudFormation actions to support CloudFormation StackSets. Add Amazon Location Service actions to support the Amplify Geo category. Add a Lambda action to support Lambda layers in Amplify. Add CloudWatch Logs actions to support CloudWatch Events. Add Amazon S3 actions to support the Amplify Storage category. Add policy actions to support server-side rendered (SSR) apps. | September 27, 2021 +AdministratorAccess-Amplify – Update to an existing policy | Consolidate all Amplify actions into a single `amplify:*` action. Add an Amazon S3 action to support encrypting customer Amazon S3 buckets. Add IAM permission boundary actions to support Amplify apps that have permission boundaries enabled. Add Amazon SNS actions to support viewing origination phone numbers, and viewing, creating, verifying, and deleting destination phone numbers. Amplify Studio: Add Amazon Cognito, AWS Lambda, IAM, and CloudFormation policy actions to enable managing backends in the Amplify console and Amplify Studio. Add an AWS Systems Manager (SSM) policy statement to manage Amplify environment secrets. Add an CloudFormation `ListResources` action to support Lambda layers for Amplify apps. | July 28, 2021