AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2025-11-25 · Documentation medium

File: transform/latest/userguide/security-iam-awsmanpol.md

Summary

Updated AWS managed policies to add ECS deployment support, expanded permissions for EC2 networking/IAM role inspection/KMS encryption, and introduced new AWSTransformApplicationECSDeploymentPolicy with ECS/KMS/ECR security controls

Security assessment

The changes enhance security documentation by adding granular permissions (KMS encryption operations, IAM role inspection), implementing resource/tag-based access controls, and documenting encryption requirements for ECR. However, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/transform/latest/userguide/security-iam-awsmanpol.md b/transform/latest/userguide/security-iam-awsmanpol.md
index c9b826050..86828222c 100644
--- a//transform/latest/userguide/security-iam-awsmanpol.md
+++ b//transform/latest/userguide/security-iam-awsmanpol.md
@@ -5 +5 @@
-UpdatesAWSServiceRoleForAWSTransformAWSTransformApplicationDeploymentPolicy
+UpdatesAWSServiceRoleForAWSTransformAWSTransformApplicationDeploymentPolicyAWSTransformApplicationECSDeploymentPolicy
@@ -22,0 +23,2 @@ Change | Description | Date
+AWSTransformApplicationECSDeploymentPolicy – Updated policy |  Added IAM role inspection permissions, ECS service-linked role creation, and KMS permissions for ECR encryption support. | November 22, 2025  
+AWSTransformApplicationDeploymentPolicy – Updated policy |  Added EC2 networking permissions, IAM role inspection permissions, S3 bucket listing permissions, and KMS encryption support for enhanced deployment capabilities. | November 22, 2025  
@@ -43 +45 @@ This policy includes the following permissions:
-  * **CloudFormation** – Allows creating, updating, deleting, and describing CloudFormation stacks with names that start with AWSTransform-Deploy-Infra-stack. Stack operations are restricted to resources tagged with CreatedBy: AWSTransform and limited to the same AWS account.
+  * **CloudFormation** – Allows creating, updating, deleting, and describing CloudFormation stacks with names that start with AWSTransform. Stack operations are restricted to resources tagged with CreatedBy: AWSTransform and limited to the same AWS account.
@@ -45 +47 @@ This policy includes the following permissions:
-  * **Amazon EC2** – Allows describing VPCs, subnets, security groups, images, and instances. Permits running, starting, stopping, terminating, and modifying EC2 instances, but only when called through CloudFormation. Tag creation is restricted to specific allowed tag keys (Name, CreatedBy, CreatedFor, Environment) and only during instance launch.
+  * **Amazon EC2** – Allows describing VPCs, subnets, security groups, images, instances, route tables, and internet gateways. Permits running, starting, stopping, terminating, and modifying EC2 instances, but only when called through CloudFormation. Tag creation is restricted to specific allowed tag keys and only during CloudFormation operations.
@@ -47 +49 @@ This policy includes the following permissions:
-  * **AWS Identity and Access Management (IAM)** – Allows getting and passing the specific IAM role AWSTransform-Deploy-EC2-Instance-Role and accessing the instance profile AWSTransform-Deploy-EC2-Instance-Profile. Access is restricted to resources tagged with CreatedFor: AWSTransform.
+  * **AWS Identity and Access Management (IAM)** – Allows getting and passing specific IAM roles for AWSTransform deployment instances. Includes permissions to inspect role policies and attachments. Access is restricted to the same AWS account.
@@ -49 +51,5 @@ This policy includes the following permissions:
-  * **Amazon EC2 Systems Manager (SSM)** – Allows retrieving Amazon Linux AMI parameters from the AWS-managed parameter store.
+  * **Amazon EC2 Systems Manager (SSM)** – Allows retrieving Amazon Linux AMI parameters from the AWS-managed parameter store and sending commands to AWSTransform-tagged instances.
+
+  * **Amazon S3** – Allows managing objects in AWSTransform deployment buckets, including listing buckets and getting bucket locations within the same AWS account.
+
+  * **AWS Key Management Service (KMS)** – Allows encryption and decryption operations using KMS keys tagged for AWSTransform, with restrictions to S3 and EC2 service usage.
@@ -59,0 +66,29 @@ To view the policy permission details see [AWSTransformApplicationDeploymentPoli
+## AWS managed policy: AWSTransformApplicationECSDeploymentPolicy 
+
+This policy enables AWS Transform to deploy transformed applications to Amazon ECS by creating and managing ECS clusters, services, tasks, and associated resources. 
+
+**Description**
+
+This policy includes the following permissions:
+
+  * **CloudFormation** – Allows creating, updating, deleting, and describing CloudFormation stacks with names that start with AWSTransform. Stack operations are restricted to resources tagged with CreatedBy: AWSTransform and limited to the same AWS account.
+
+  * **Amazon ECS** – Allows creating, updating, and deleting ECS clusters, services, and task definitions. Permits running tasks, listing tasks, and describing task status. All operations are restricted to resources with names starting with AWSTransform and tagged with CreatedBy: AWSTransform.
+
+  * **AWS Identity and Access Management (IAM)** – Allows getting and passing specific IAM roles for ECS tasks (AWSTransform-Deploy-ECS-Task-Role and AWSTransform-Deploy-ECS-Execution-Role). Includes permissions to inspect role policies and create the ECS service-linked role when needed.
+
+  * **Amazon CloudWatch Logs** – Allows creating, deleting, and managing log groups with names starting with /aws/ecs/AWSTransform. Permits retrieving log events for troubleshooting deployed applications.
+
+  * **Amazon ECR** – Allows creating container repositories with names starting with awstransform for storing application container images.
+
+  * **AWS Key Management Service (KMS)** – Allows creating grants and generating data keys for ECR encryption when using customer-managed KMS keys.
+
+
+
+
+The policy implements least-privilege access through resource-level permissions, tag-based conditions, and account-level restrictions to ensure operations are limited to AWSTransform-managed resources within the same AWS account.
+
+**Permissions details**
+
+To view the policy permission details see [AWSTransformApplicationECSDeploymentPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSTransformApplicationECSDeploymentPolicy.html) in the AWS Managed Policy Reference Guide.
+