AWS waf documentation change
Summary
Added pricing plan manager, Route 53, and CloudWatch permissions to example IAM policies; removed markdown formatting; updated service name reference
Security assessment
Changes expand example policies with new service permissions (pricingplanmanager, route53) but show no evidence of addressing security flaws. The CloudWatch:GetMetricData addition enables monitoring but isn't a security-specific feature.
Diff
diff --git a/waf/latest/developerguide/security_iam_id-based-policy-examples.md b/waf/latest/developerguide/security_iam_id-based-policy-examples.md index 53512c76c..fd730d3e0 100644 --- a//waf/latest/developerguide/security_iam_id-based-policy-examples.md +++ b//waf/latest/developerguide/security_iam_id-based-policy-examples.md @@ -50 +50 @@ Identity-based policies determine whether someone can create, access, or delete - * **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as AWS CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_. + * **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_. @@ -111,6 +110,0 @@ The following policy grants users read-only access to AWS WAF resources, to Amaz -JSON - - -**** - - @@ -131,0 +126 @@ JSON + "cloudwatch:GetMetricData", @@ -134 +129,5 @@ JSON - "ec2:DescribeRegions" + "ec2:DescribeRegions", + "pricingplanmanager:GetSubscription", + "pricingplanmanager:ListSubscriptions", + "route53:ListHostedZones", + "route53:GetHostedZone" @@ -147,6 +145,0 @@ The following policy lets users perform any AWS WAF operation, perform any opera -JSON - - -**** - - @@ -173,0 +167,2 @@ JSON + "cloudfront:DeleteDistributionTenant", + "cloudwatch:GetMetricData", @@ -176 +171,10 @@ JSON - "ec2:DescribeRegions" + "ec2:DescribeRegions", + "pricingplanmanager:GetSubscription", + "pricingplanmanager:ListSubscriptions", + "pricingplanmanager:UpdateSubscription", + "pricingplanmanager:CancelSubscription", + "pricingplanmanager:CancelSubscriptionChange", + "pricingplanmanager:AssociateResourcesToSubscription", + "pricingplanmanager:DisassociateResourcesFromSubscription", + "route53:ListHostedZones", + "route53:GetHostedZone"