AWS config documentation change
Summary
Updated AWS_ConfigRole and AWSConfigServiceRolePolicy managed policies to include additional permissions for multiple AWS services (Amplify, AppSync, Bedrock, etc.) and adjusted service name references from 'AWS CloudFormation' to 'CloudFormation'
Security assessment
The change expands permissions for multiple services in managed policies but does not indicate remediation of a security vulnerability. While IAM policy updates can impact security posture, there is no explicit evidence this addresses a specific security issue or introduces new security controls.
Diff
diff --git a/config/latest/developerguide/security-iam-awsmanpol.md b/config/latest/developerguide/security-iam-awsmanpol.md index 6cd889d16..859058022 100644 --- a//config/latest/developerguide/security-iam-awsmanpol.md +++ b//config/latest/developerguide/security-iam-awsmanpol.md @@ -182,2 +182,2 @@ AWS_ConfigRole – Updated managed policy with comprehensive permissions for AWS -AWS_ConfigRole – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint" | This policy now supports additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, AWS CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick Suite, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. | October 1, 2025 -AWSConfigServiceRolePolicy – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint" | This policy now supports additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, AWS CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick Suite, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. | October 1, 2025 +AWS_ConfigRole – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint" | This policy now supports additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick Suite, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. | October 1, 2025 +AWSConfigServiceRolePolicy – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint" | This policy now supports additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick Suite, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. | October 1, 2025