AWS Security ChangesHomeSearch

AWS timestream documentation change

Service: timestream · 2025-11-25 · Documentation low

File: timestream/latest/developerguide/security_iam_id-based-policy-examples.md

Summary

Added JSON examples for IAM policies enforcing tag-based access control (Owner tag matching username) and DescribeDatabase/TagResource permissions

Security assessment

The changes demonstrate security best practices for granular access control using resource tags and conditional policies, but there's no evidence of addressing a specific security vulnerability

Diff

diff --git a/timestream/latest/developerguide/security_iam_id-based-policy-examples.md b/timestream/latest/developerguide/security_iam_id-based-policy-examples.md
index 62de4f42e..6e350731b 100644
--- a//timestream/latest/developerguide/security_iam_id-based-policy-examples.md
+++ b//timestream/latest/developerguide/security_iam_id-based-policy-examples.md
@@ -514,0 +515,25 @@ The following example shows how you can create a policy that grants permissions
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "ReadOnlyAccessTaggedTables",
+                "Effect": "Allow",
+                "Action": "timestream:Select",
+                "Resource": "arn:aws:timestream:us-east-2:111122223333:database/mydatabase/table/*",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceTag/Owner": "${aws:username}"
+                    }
+                }
+            }
+        ]
+    }
+    
+
@@ -518,0 +544,28 @@ The following policy grants permissions to a user to create tables with tags if
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "CreateTagTableUser",
+                "Effect": "Allow",
+                "Action": [
+                    "timestream:CreateTable",
+                    "timestream:TagResource"
+                ],
+                "Resource": "arn:aws:timestream:us-east-2:111122223333:database/mydatabase/table/*",
+                "Condition": {
+                    "ForAnyValue:StringEquals": {
+                        "aws:RequestTag/Owner": "${aws:username}"
+                    }
+                }
+            }
+        ]
+    }
+    
+
@@ -520,0 +574,39 @@ The policy below allows use of the `DescribeDatabase` API on any Database that h
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "AllowDescribe",
+                "Effect": "Allow",
+                "Action": [
+                    "timestream:DescribeEndpoints",
+                    "timestream:DescribeDatabase"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "AllowTagAccessForDevResources",
+                "Effect": "Allow",
+                "Action": [
+                    "timestream:TagResource"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:RequestTag/env": [
+                            "test",
+                            "dev"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+    
+