AWS security-ir documentation change
Summary
Updated AWS managed policies documentation to include new permissions for GuardDuty malware scans, Security Hub CSPM operations, IAM role verification, and Security Incident Response case management
Security assessment
This change documents expanded permissions for AWS Security Incident Response service roles, including the ability to initiate GuardDuty malware scans, manage Security Hub CSPM rules, verify GuardDuty MalwareProtection configuration, and create/update security incident cases. While these are security-related capabilities, there is no evidence that these changes address a specific security vulnerability or incident. The documentation appears to reflect normal service capability expansions.
Diff
diff --git a/security-ir/latest/userguide/aws-managed-policies.md b/security-ir/latest/userguide/aws-managed-policies.md index dd4cdb0bb..63cbeb6c3 100644 --- a//security-ir/latest/userguide/aws-managed-policies.md +++ b//security-ir/latest/userguide/aws-managed-policies.md @@ -142 +142 @@ The service uses this policy to perform actions on the following resources: - * _Amazon GuardDuty:_ Allows the service to tune security services to reduce alert noise and gather information to investigate potential incidents. This action is performed on any AWS resource. + * _Amazon GuardDuty:_ Allows the service to tune security services to reduce alert noise, gather information to investigate potential incidents, and initiate GuardDuty malware scans. @@ -144 +144,5 @@ The service uses this policy to perform actions on the following resources: - * _AWS Security Hub CSPM:_ Allows the service to tune security services to reduce alert noise and gather information to investigate potential incidents. This action is performed on any AWS resource. + * _AWS Security Hub CSPM:_ Allows the service to list enabled standards and product integrations, list organization members and admin accounts, and tune security services to reduce alert noise and gather information to investigate potential incidents. + + * _AWS Identity and Access Management:_ Allows the service to retrieve role information for the `AWSServiceRoleForAmazonGuardDutyMalwareProtection` service-linked role to verify whether GuardDuty MalwareProtection is configured. + + * _AWS Security Incident Response:_ Allows the service to create and update cases and tag resources, restricted to resources tagged with `SecurityIncidentResponseManaged=true`. Allows the service to read membership information (GetMembership, ListMemberships). @@ -157 +161,2 @@ Change | Description | Date -Updated – AWSSecurityIncidentResponseServiceRolePolicy | The policy now performs actions on the following resources: ListCases: Allows the service’s AI agent to view cases for the purposes of security investigation UpdateCase: Allows the service’s AI agent to update case metadata. CreateCaseComment: Allows the service’s AI agent to post its results as a case comment ListComments: Allows the service’s AI agent to view case comments needed to perform automated investigations | TBD +Updated – AWSSecurityIncidentResponseTriageServiceRolePolicy | The policy now allows the service to modify GuardDuty filters that are tagged with `SecurityIncidentResponseManaged=true`, to update detector configurations, and to initiate GuardDuty malware scans. It allows the service to create and manage rules that automatically act on Security Hub CSPM findings, and to understand organizational structure. | March 27, 2026 +Updated – AWSSecurityIncidentResponseServiceRolePolicy | The policy now performs actions on the following resources: ListCases: Allows the service’s AI agent to view cases for the purposes of security investigation UpdateCase: Allows the service’s AI agent to update case metadata. CreateCaseComment: Allows the service’s AI agent to post its results as a case comment ListComments: Allows the service’s AI agent to view case comments needed to perform automated investigations | November 2025 @@ -169 +174 @@ Updated – AWSSecurityIncidentResponseServiceRolePolicy | The policy now inclu -| TBD +| November 2025