AWS cdk documentation change
Summary
Updated permissions documentation to mention Grants classes working with both L1/L2 constructs and integration with Mixins
Security assessment
The change enhances documentation about least-privilege permissions implementation but doesn't address a specific security vulnerability. It improves security guidance but isn't tied to a disclosed issue.
Diff
diff --git a/cdk/v2/guide/resources.md b/cdk/v2/guide/resources.md index 4b8d292db..72132aeed 100644 --- a//cdk/v2/guide/resources.md +++ b//cdk/v2/guide/resources.md @@ -784 +784,3 @@ Go -Higher-level constructs make least-privilege permissions achievable by offering simple, intent-based APIs to express permission requirements. For example, many L2 constructs offer grant methods that you can use to grant an entity (such as an IAM role or user) permission to work with the resource, without having to manually create IAM permission statements. +Higher-level constructs make least-privilege permissions achievable by offering simple, intent-based APIs to express permission requirements. For example, many constructs offer grant methods that you can use to grant an entity (such as an IAM role or user) permission to work with the resource, without having to manually create IAM permission statements. + +Grant methods are available through Grants classes (such as `BucketGrants` for Amazon S3 buckets). These classes work with both L1 and L2 constructs. L2 constructs expose a `grants` property for convenience, but you can also create a Grants class directly from an L1 construct. You can combine Grants classes with [Mixins](./mixins.html) to get L2-like convenience on L1 constructs.