AWS timestream documentation change
Summary
Added JSON examples for IAM policies enforcing tag-based access control (Owner tag matching username) and DescribeDatabase/TagResource permissions
Security assessment
The changes demonstrate security best practices for granular access control using resource tags and conditional policies, but there's no evidence of addressing a specific security vulnerability
Diff
diff --git a/timestream/latest/developerguide/security_iam_id-based-policy-examples.md b/timestream/latest/developerguide/security_iam_id-based-policy-examples.md index 62de4f42e..6e350731b 100644 --- a//timestream/latest/developerguide/security_iam_id-based-policy-examples.md +++ b//timestream/latest/developerguide/security_iam_id-based-policy-examples.md @@ -514,0 +515,25 @@ The following example shows how you can create a policy that grants permissions +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "ReadOnlyAccessTaggedTables", + "Effect": "Allow", + "Action": "timestream:Select", + "Resource": "arn:aws:timestream:us-east-2:111122223333:database/mydatabase/table/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/Owner": "${aws:username}" + } + } + } + ] + } + + @@ -518,0 +544,28 @@ The following policy grants permissions to a user to create tables with tags if +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "CreateTagTableUser", + "Effect": "Allow", + "Action": [ + "timestream:CreateTable", + "timestream:TagResource" + ], + "Resource": "arn:aws:timestream:us-east-2:111122223333:database/mydatabase/table/*", + "Condition": { + "ForAnyValue:StringEquals": { + "aws:RequestTag/Owner": "${aws:username}" + } + } + } + ] + } + + @@ -520,0 +574,39 @@ The policy below allows use of the `DescribeDatabase` API on any Database that h +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "AllowDescribe", + "Effect": "Allow", + "Action": [ + "timestream:DescribeEndpoints", + "timestream:DescribeDatabase" + ], + "Resource": "*" + }, + { + "Sid": "AllowTagAccessForDevResources", + "Effect": "Allow", + "Action": [ + "timestream:TagResource" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/env": [ + "test", + "dev" + ] + } + } + } + ] + } + +