AWS fedramp documentation change
Summary
Enhanced IAM policy documentation with detailed use cases, permissions breakdown, testing instructions, and explicit MFA requirements. Updated AWS CLI commands for configuration review and export to be resource-specific.
Security assessment
The changes improve security documentation by adding granular IAM policy guidance (least privilege principles), explicit MFA requirements for privileged roles, and concrete testing procedures. However, there's no evidence of addressing a specific security vulnerability. The updates proactively enhance security posture by clarifying access controls.
Diff
diff --git a/fedramp/latest/userguide/amazon-elastic-cloud-compute-ec2.md b/fedramp/latest/userguide/amazon-elastic-cloud-compute-ec2.md index cee3b4e04..6c9f808eb 100644 --- a//fedramp/latest/userguide/amazon-elastic-cloud-compute-ec2.md +++ b//fedramp/latest/userguide/amazon-elastic-cloud-compute-ec2.md @@ -683 +683,46 @@ Sample IAM policies for least privilege access to Amazon Elastic Compute Cloud ( -**Read Only Policy:** +### Policy Selection Guide + +Choose the appropriate policy based on your role: + +Policy | Use Case | MFA Required +---|---|--- +Read Only | Auditors, compliance reviewers, monitoring dashboards | No +Operator | Day-to-day operators managing resources | Yes +Administrator | Service administrators with full management access | Yes (1-hour max) + +### Read Only Policy + +**Use this for:** Auditors, compliance reviewers, monitoring dashboards + +**Grants access to:** + + * View resource configurations + + * List resources + + * Describe resource details + + + + +**Does NOT grant:** + + * Create or modify resources + + * Delete resources + + * Change configurations + + + + +**Testing this policy:** + + + # Verify access works + aws elastic-cloud-compute-ec2 describe-* / list-* + + # Verify restricted access is denied (should fail) + aws elastic-cloud-compute-ec2 create-* / delete-* + +**Policy JSON:** @@ -701 +746,36 @@ Sample IAM policies for least privilege access to Amazon Elastic Compute Cloud ( -**Operator Policy:** +### Operator Policy + +**Use this for:** Day-to-day operators managing resources + +**Grants access to:** + + * All read-only permissions + + * Create and modify resources + + * Perform operational tasks + + + + +**Does NOT grant:** + + * Delete critical resources + + * Change security configurations + + * Manage access policies + + + + +**Testing this policy:** + + + # Verify access works + aws elastic-cloud-compute-ec2 create-* / update-* + + # Verify restricted access is denied (should fail) + aws elastic-cloud-compute-ec2 delete-* / put-*-policy + +**Policy JSON:** @@ -727 +807,31 @@ Sample IAM policies for least privilege access to Amazon Elastic Compute Cloud ( -**Administrator Policy:** +### Administrator Policy + +**Use this for:** Service administrators with full management access + +**Grants access to:** + + * All operator permissions + + * Delete resources + + * Manage access policies + + * Configure security settings + + + + +**Requires:** + + * MFA with maximum 1-hour session duration + + + + +**Testing this policy:** + + + # Verify access works + aws elastic-cloud-compute-ec2 * (all operations) + +**Policy JSON:** @@ -884,2 +994,13 @@ Deploy AWS Config rules to continuously monitor Amazon Elastic Compute Cloud (EC - aws elastic describe-* --query 'relevant-fields' - Compare output against baseline configuration files + # List all EC2 instances + aws ec2 describe-instances --output json + # List all security groups + aws ec2 describe-security-groups --output json + # List all volumes + aws ec2 describe-volumes --output json + # List all snapshots owned by self + aws ec2 describe-snapshots --owner-ids self --output json + # List all VPCs + aws ec2 describe-vpcs --output json + # List all subnets + aws ec2 describe-subnets --output json + # Compare output against baseline configuration files @@ -904 +1025,14 @@ JSON via AWS CLI - aws elastic describe-* --output json > amazon_elastic_compute_cloud_(ec2)_config.json + # Export all EC2 instances + aws ec2 describe-instances --output json > amazon_ec2_instances.json + # Export all security groups + aws ec2 describe-security-groups --output json > amazon_ec2_security_groups.json + # Export all volumes + aws ec2 describe-volumes --output json > amazon_ec2_volumes.json + # Export all snapshots + aws ec2 describe-snapshots --owner-ids self --output json > amazon_ec2_snapshots.json + # Export all AMIs + aws ec2 describe-images --owners self --output json > amazon_ec2_amis.json + # Export all key pairs + aws ec2 describe-key-pairs --output json > amazon_ec2_key_pairs.json + # Export all VPCs + aws ec2 describe-vpcs --output json > amazon_ec2_vpcs.json