AWS fedramp documentation change
Summary
Restructured IAM policy documentation with detailed role-based guides, testing procedures, and MFA requirements
Security assessment
The change enhances security documentation by adding least privilege guidance, MFA requirements for sensitive operations, explicit access boundaries, and CLI testing procedures. However, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/fedramp/latest/userguide/amazon-aurora-postgresql.md b/fedramp/latest/userguide/amazon-aurora-postgresql.md index e0bb3851d..8ce0ca78a 100644 --- a//fedramp/latest/userguide/amazon-aurora-postgresql.md +++ b//fedramp/latest/userguide/amazon-aurora-postgresql.md @@ -507 +507,47 @@ Sample IAM policies for least privilege access to Amazon Aurora PostgreSQL -**Read Only Policy:** +### Policy Selection Guide + +Choose the appropriate policy based on your role: + +Policy | Use Case | MFA Required +---|---|--- +Read Only | Auditors, compliance reviewers, monitoring dashboards | No +Operator | Day-to-day operators managing resources | Yes +Administrator | Service administrators with full management access | Yes (1-hour max) + +### Read Only Policy + +**Use this for:** Auditors, compliance reviewers, monitoring dashboards + +**Grants access to:** + + * View resource configurations + + * List resources + + * Describe resource details + + + + +**Does NOT grant:** + + * Create or modify resources + + * Delete resources + + * Change configurations + + + + +**Testing this policy:** + + + # Verify read access works + aws rds describe-db-instances + aws rds describe-db-clusters + + # Verify write access is denied (should fail) + aws rds modify-db-instance --db-instance-identifier test-db + +**Policy JSON:** @@ -525 +571,36 @@ Sample IAM policies for least privilege access to Amazon Aurora PostgreSQL -**Operator Policy:** +### Operator Policy + +**Use this for:** Day-to-day operators managing resources + +**Grants access to:** + + * All read-only permissions + + * Create and modify resources + + * Perform operational tasks + + + + +**Does NOT grant:** + + * Delete critical resources + + * Change security configurations + + * Manage access policies + + + + +**Testing this policy:** + + + # Verify operator access works (requires MFA) + aws rds modify-db-cluster --db-cluster-identifier <cluster-id> --apply-immediately + + # Verify admin access is denied (should fail) + aws rds delete-db-cluster --db-cluster-identifier <cluster-id> + +**Policy JSON:** @@ -551 +632,32 @@ Sample IAM policies for least privilege access to Amazon Aurora PostgreSQL -**Administrator Policy:** +### Administrator Policy + +**Use this for:** Service administrators with full management access + +**Grants access to:** + + * All operator permissions + + * Delete resources + + * Manage access policies + + * Configure security settings + + + + +**Requires:** + + * MFA with maximum 1-hour session duration + + + + +**Testing this policy:** + + + # Verify full admin access works (requires MFA) + aws rds create-db-cluster --db-cluster-identifier new-cluster --engine aurora-postgresql + aws rds delete-db-cluster --db-cluster-identifier old-cluster --skip-final-snapshot + +**Policy JSON:**