AWS guardduty documentation change
Summary
Added detailed policy statement for cloudtrail:CreateServiceLinkedChannel permission in AmazonGuardDutyServiceRolePolicy
Security assessment
This change provides detailed documentation of a policy update that allows GuardDuty to create service-linked channels for CloudTrail. This enhances GuardDuty's event consumption capabilities but doesn't address a specific security vulnerability. The change adds detailed security policy documentation.
Diff
diff --git a/guardduty/latest/ug/security-iam-awsmanpol.md b/guardduty/latest/ug/security-iam-awsmanpol.md index 28d95704d..666497b19 100644 --- a//guardduty/latest/ug/security-iam-awsmanpol.md +++ b//guardduty/latest/ug/security-iam-awsmanpol.md @@ -109,0 +110,18 @@ Change | Description | Date +[AmazonGuardDutyServiceRolePolicy](./slr-permissions.html) – Update to an existing policy | Added the `cloudtrail:CreateServiceLinkedChannel` permission to enable an additional mechanism for consuming AWS CloudTrail events. + + + { + "Sid": "CloudTrailCreateServiceLinkedChannelSid", + "Effect": "Allow", + "Action": [ + "cloudtrail:CreateServiceLinkedChannel" + ], + "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/guardduty/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + +| March 25, 2026