AWS security-ir documentation change
Summary
Updated service-linked role documentation with expanded permissions for GuardDuty malware scans, Security Hub CSPM, IAM role verification, and Security Incident Response case management capabilities
Security assessment
This change documents expanded permissions for security incident response service-linked roles, including new capabilities for GuardDuty malware scans and Security Hub CSPM integration. While it enhances security documentation by detailing new permissions, there's no evidence of addressing a specific security vulnerability or incident.
Diff
diff --git a/security-ir/latest/userguide/using-service-linked-roles.md b/security-ir/latest/userguide/using-service-linked-roles.md index b54d5e70c..3c449fc03 100644 --- a//security-ir/latest/userguide/using-service-linked-roles.md +++ b//security-ir/latest/userguide/using-service-linked-roles.md @@ -24 +24 @@ AWSServiceRoleForSecurityIncidentResponseAWSServiceRoleForSecurityIncidentRespon -A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. +A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An AWS Identity and Access Management administrator can view, but not edit the permissions for service-linked roles. @@ -91 +91 @@ Attached to this role is the AWS managed policy [AWSSecurityIncidentResponseTria - * _Amazon GuardDuty:_ Allows the service to tune security services to reduce alert noise and gather information to investigate potential incidents. This action is performed on any AWS resource. + * _Amazon GuardDuty:_ Allows the service to tune security services to reduce alert noise, gather information to investigate potential incidents, and initiate GuardDuty malware scans. @@ -93 +93,5 @@ Attached to this role is the AWS managed policy [AWSSecurityIncidentResponseTria - * _AWS Security Hub CSPM:_ Allows the service to tune security services to reduce alert noise and gather information to investigate potential incidents. This action is performed on any AWS resource. + * _AWS Security Hub CSPM:_ Allows the service to list enabled standards and product integrations, list organization members and admin accounts, and tune security services to reduce alert noise and gather information to investigate potential incidents. + + * _AWS Identity and Access Management:_ Allows the service to retrieve role information for the `AWSServiceRoleForAmazonGuardDutyMalwareProtection` service-linked role to verify whether GuardDuty MalwareProtection is configured. + + * _AWS Security Incident Response:_ Allows the service to create and update cases and tag resources, restricted to resources tagged with `SecurityIncidentResponseManaged=true`. Allows the service to read membership information (GetMembership, ListMemberships).