AWS Security ChangesHomeSearch

AWS fedramp documentation change

Service: fedramp · 2026-02-16 · Documentation low

File: fedramp/latest/userguide/amazon-documentdb-with-mongodb-compatibility.md

Summary

Added role-based IAM policy guides with MFA enforcement, access boundaries, and verification commands

Security assessment

The update improves security documentation by defining granular permissions, MFA requirements for admin roles, explicit access restrictions, and test cases. No evidence of fixing a specific security vulnerability is present.

Diff

diff --git a/fedramp/latest/userguide/amazon-documentdb-with-mongodb-compatibility.md b/fedramp/latest/userguide/amazon-documentdb-with-mongodb-compatibility.md
index af9874dcb..5768c1664 100644
--- a//fedramp/latest/userguide/amazon-documentdb-with-mongodb-compatibility.md
+++ b//fedramp/latest/userguide/amazon-documentdb-with-mongodb-compatibility.md
@@ -565 +565,46 @@ Sample IAM policies for least privilege access to Amazon DocumentDB
-**Read Only Policy:**
+### Policy Selection Guide
+
+Choose the appropriate policy based on your role:
+
+Policy | Use Case | MFA Required  
+---|---|---  
+Read Only |  Auditors, compliance reviewers, monitoring dashboards |  No  
+Operator |  Day-to-day operators managing resources |  Yes  
+Administrator |  Service administrators with full management access |  Yes (1-hour max)  
+  
+### Read Only Policy
+
+**Use this for:** Auditors, compliance reviewers, monitoring dashboards
+
+**Grants access to:**
+
+  * View resource configurations
+
+  * List resources
+
+  * Describe resource details
+
+
+
+
+**Does NOT grant:**
+
+  * Create or modify resources
+
+  * Delete resources
+
+  * Change configurations
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify access works
+    aws documentdb-with-mongodb-compatibility describe-* / list-*
+    
+    # Verify restricted access is denied (should fail)
+    aws documentdb-with-mongodb-compatibility create-* / delete-*
+
+**Policy JSON:**
@@ -582 +627,36 @@ Sample IAM policies for least privilege access to Amazon DocumentDB
-**Operator Policy:**
+### Operator Policy
+
+**Use this for:** Day-to-day operators managing resources
+
+**Grants access to:**
+
+  * All read-only permissions
+
+  * Create and modify resources
+
+  * Perform operational tasks
+
+
+
+
+**Does NOT grant:**
+
+  * Delete critical resources
+
+  * Change security configurations
+
+  * Manage access policies
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify access works
+    aws documentdb-with-mongodb-compatibility create-* / update-*
+    
+    # Verify restricted access is denied (should fail)
+    aws documentdb-with-mongodb-compatibility delete-* / put-*-policy
+
+**Policy JSON:**
@@ -609 +689,31 @@ Sample IAM policies for least privilege access to Amazon DocumentDB
-**Administrator Policy:**
+### Administrator Policy
+
+**Use this for:** Service administrators with full management access
+
+**Grants access to:**
+
+  * All operator permissions
+
+  * Delete resources
+
+  * Manage access policies
+
+  * Configure security settings
+
+
+
+
+**Requires:**
+
+  * MFA with maximum 1-hour session duration
+
+
+
+
+**Testing this policy:**
+    
+    
+    # Verify access works
+    aws documentdb-with-mongodb-compatibility * (all operations)
+
+**Policy JSON:**