AWS vpc documentation change
Summary
Added required IAM permissions policy for creating flow logs to Firehose
Security assessment
Documents necessary IAM permissions (logs:CreateLogDelivery, iam:CreateServiceLinkedRole etc.) for secure configuration. No vulnerability fix.
Diff
diff --git a/vpc/latest/userguide/flow-logs-firehose-create-flow-log.md b/vpc/latest/userguide/flow-logs-firehose-create-flow-log.md index 279db450c..7b2bba558 100644 --- a//vpc/latest/userguide/flow-logs-firehose-create-flow-log.md +++ b//vpc/latest/userguide/flow-logs-firehose-create-flow-log.md @@ -12,0 +13,25 @@ You can create flow logs for your VPCs, subnets, or network interfaces. + * The account creating the flow log must be using an IAM role that grants the following permissions to publish flow logs to Amazon Data Firehose. + +JSON + + +**** + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogDelivery", + "logs:DeleteLogDelivery", + "iam:CreateServiceLinkedRole", + "firehose:TagDeliveryStream" + ], + "Resource": "*" + } + ] + } + +