AWS fis documentation change
Summary
Expanded DynamoDB global tables coverage to include both strongly and eventually consistent tables, added IAM permission for dynamodb:InjectError action, and removed MultiRegionConsistency filter
Security assessment
The changes update documentation for fault injection testing capabilities without evidence of addressing a specific vulnerability. The added dynamodb:InjectError permission and expanded table coverage enhance security documentation for resilience testing scenarios but don't indicate a security fix.
Diff
diff --git a/fis/latest/userguide/cross-region-scenario.md b/fis/latest/userguide/cross-region-scenario.md index 1089e54b2..a2a9c38cc 100644 --- a//fis/latest/userguide/cross-region-scenario.md +++ b//fis/latest/userguide/cross-region-scenario.md @@ -9 +9 @@ ActionsLimitationsRequirementsPermissionsScenario Content -You can use the Cross-Region: Connectivity scenario to block application network traffic from the experiment Region to the destination Region and pause cross-Region replication for Amazon S3 and Amazon DynamoDB multi-Region eventually consistent global tables (MREC). Cross Region: Connectivity affects outbound application traffic from the Region in which you run the experiment (_experiment Region_). Stateless inbound traffic from the Region you wish to isolate from the _experiment region_ (_destination Region_) may not be blocked. Traffic from AWS managed services may not be blocked. +You can use the Cross-Region: Connectivity scenario to block application network traffic from the experiment Region to the destination Region and pause cross-Region replication for Amazon S3 and Amazon DynamoDB multi-Region global tables. Cross Region: Connectivity affects outbound application traffic from the Region in which you run the experiment (_experiment Region_). Stateless inbound traffic from the Region you wish to isolate from the _experiment region_ (_destination Region_) may not be blocked. Traffic from AWS managed services may not be blocked. @@ -11 +11 @@ You can use the Cross-Region: Connectivity scenario to block application network -This scenario can be used to demonstrate that multi-Region applications operate as expected when resources in the destination Region are not accessible from the experiment Region. It includes blocking network traffic from the experiment Region to the destination Region by targeting transit gateways and route tables. It also pauses cross-Region replication for S3 and DynamoDB MREC global tables. By default, actions for which no targets are found will be skipped. +This scenario can be used to demonstrate that multi-Region applications operate as expected when resources in the destination Region are not accessible from the experiment Region. It includes blocking network traffic from the experiment Region to the destination Region by targeting transit gateways and route tables. It also pauses cross-Region replication for S3 and DynamoDB global tables. By default, actions for which no targets are found will be skipped. @@ -45 +45 @@ Cross-Region: Connectivity includes [aws:dynamodb:global-table-pause-replication -This action targets DynamoDB multi-Region eventually consistent global tables in the experiment Region. By default, it targets tables with a [tag](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html) named `DisruptDynamoDb` with a value of `Allowed`. You can add this tag to your tables or replace the default tag with your own tag in the experiment template. By default, if no valid global tables are found this action will be skipped. +This action targets both DynamoDB multi-Region strongly and eventually consistent global tables in the experiment Region. By default, it targets tables with a [tag](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Tagging.html) named `DisruptDynamoDb` with a value of `Allowed`. You can add this tag to your tables or replace the default tag with your own tag in the experiment template. By default, if no valid global tables are found this action will be skipped. @@ -325 +325 @@ The following policy grants AWS FIS the necessary permissions to execute an expe - "Sid": "DdbCrossRegion", + "Sid": "DynamoDbPauseReplication", @@ -336,0 +337,8 @@ The following policy grants AWS FIS the necessary permissions to execute an expe + { + "Sid": "DynamoDbMrscPauseReplication", + "Effect": "Allow", + "Action": [ + "dynamodb:InjectError" + ], + "Resource": ["*"] + }, @@ -448,8 +455,0 @@ The following content defines the scenario. This JSON can be saved and used to c - "filters": [ - { - "path": "MultiRegionConsistency", - "values": [ - "EVENTUAL" - ] - } - ],