AWS sql-server-ec2 documentation change
Summary
Updated documentation to replace custom IAM policy creation steps with instructions to use the AWSEC2VssRestorePolicy managed policy for SQL Server database restoration automation.
Security assessment
The change promotes using AWS managed policies instead of custom policies, which improves security by ensuring consistent, AWS-maintained permissions and reducing the risk of misconfiguration. However, there is no evidence this addresses a specific security vulnerability or incident.
Diff
diff --git a/sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md b/sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md index 9d5569972..c4e915ee5 100644 --- a//sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md +++ b//sql-server-ec2/latest/userguide/ms-ssdb-ec2-vss-restore-prereq.md @@ -42 +42 @@ Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to res - 1. Create an IAM policy to restore a SQL Server database from AWS VSS solution based snapshots. + 1. Attach the AWSEC2VssRestorePolicy managed policy to the role that's used for the automation execution. @@ -44 +44 @@ Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to res - 2. Attach the IAM policy to the role that's used for the automation execution. + 2. Grant IAM permissions to the invoker role for starting and managing automation executions. @@ -46 +45,0 @@ Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to res - 3. Grant IAM permissions to the invoker role for starting and managing automation executions. @@ -49,0 +49 @@ Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to res +### Attach the AWSEC2VssRestorePolicy managed policy to the role that's used for the automation execution @@ -51 +51 @@ Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to res -### Create an IAM policy to restore a SQL Server database from AWS VSS solution based snapshots +You can choose from the following options to attach the **AWSEC2VssRestorePolicy** AWS managed policy to the role that Systems Manager uses for interacting with Amazon EC2 and Systems Manager when executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook. For more information about this managed policy, see [AWSEC2VssRestorePolicy](./security-iam-awsmanpol.html#security-iam-awsmanpol-AWSEC2VssRestorePolicy). @@ -53 +53 @@ Executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook to res -To create the IAM policy that grants the permissions needed to restore a Microsoft SQL Server database from VSS based snapshots in the AWS Management Console, follow these steps. + * Create a role, attach the **AWSEC2VssRestorePolicy** managed policy, and add a PassRole policy to restrict access. Use the ARN of this role for the `AutomationAssumeRole` parameter when invoking the automation, and the automation execution will assume this role. Expand the `Invoke automation with an assumed role (recommended)` section to see detailed steps. @@ -55,134 +55 @@ To create the IAM policy that grants the permissions needed to restore a Microso - 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). - - 2. In the navigation pane, choose **Policies** , and then choose **Create policy**. - - 3. Choose **JSON** in the policy editor panel. - - 4. Copy the following policy content into the editor. This policy grants permissions to create volumes from VSS snapshots, attach them to instances, and invoke the SSM `SendDocument` and `GetDocument` API operations to run the automation document for database restoration. - -###### Note - -(Optional) To enhance security, you can further customize the policy by implementing custom conditions or specifying exact resource ARNs. - -JSON - - -**** - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Sid": "CreateVolumeAccessVolume", - "Effect": "Allow", - "Action": "ec2:CreateVolume", - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringLike": { - "aws:RequestTag/AwsVssConfig": "*" - }, - "ArnLike": { - "ec2:ParentSnapshot": "arn:aws:ec2:*:*:snapshot/*" - } - } - }, - { - "Sid": "CreateVolumeAccessSnapshot", - "Effect": "Allow", - "Action": "ec2:CreateVolume", - "Resource": "arn:aws:ec2:*:*:snapshot/*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/AwsVssConfig": "*" - } - } - }, - { - "Sid": "CreateVolumeWithTagging", - "Effect": "Allow", - "Action": "ec2:CreateTags", - "Resource": "arn:aws:ec2:*:*:volume/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateVolume" - } - } - }, - { - "Sid": "AttachVolumeAccessVolume", - "Effect": "Allow", - "Action": "ec2:AttachVolume", - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/AwsVssConfig": "*" - } - } - }, - { - "Sid": "AttachVolumeAccessInstance", - "Effect": "Allow", - "Action": "ec2:AttachVolume", - "Resource": "arn:aws:ec2:*:*:instance/*" - }, - { - "Sid": "DescribeVolumes", - "Effect": "Allow", - "Action": "ec2:DescribeVolumes", - "Resource": "*" - }, - { - "Sid": "DescribeSnapshots", - "Effect": "Allow", - "Action": "ec2:DescribeSnapshots", - "Resource": "*" - }, - { - "Sid": "DescribeInstanceAttribute", - "Effect": "Allow", - "Action": "ec2:DescribeInstanceAttribute", - "Resource": "arn:aws:ec2:*:*:instance/*" - }, - { - "Sid": "SsmAutomationRead", - "Effect": "Allow", - "Action": [ - "ssm:DescribeInstanceInformation", - "ssm:ListCommandInvocations", - "ssm:ListCommands" - ], - "Resource": "*" - }, - { - "Sid": "SsmRunCommand", - "Effect": "Allow", - "Action": [ - "ssm:SendCommand", - "ssm:GetDocument" - ], - "Resource": [ - "arn:aws:ec2:*:*:instance/*", - "arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage", - "arn:aws:ssm:*:*:document/AWSEC2-PrepareVssRestore", - "arn:aws:ssm:*:*:document/AWSEC2-RunVssRestoreForSqlDatabase" - ] - } - ] - } - - - 5. Choose **Next**. - - 6. Enter a unique name and optional description for your policy, then choose **Create policy**. - - - - -### Attach the IAM policy to the role that's used for the automation execution - -You can choose from the following options to attach your policy to the role that Systems Manager uses for interacting with the Amazon EC2 and Systems Manager when executing the `AWSEC2-RestoreSqlServerDatabaseWithVss` automation runbook. - - * Create a role, attach your policy, and add a PassRole policy to restrict access. Use the ARN of this role for the `AutomationAssumeRole` parameter when invoking the automation, and the automation execution will assume this role. Expand the `Invoke automation with an assumed role (recommended)` section to see detailed steps. - - * Attach the policy to the invoker role that initiates the automation execution, without specifying the `AutomationAssumeRole` parameter. For example, if you start the automation execution from the AWS console, the console role acts as the invoker role. Expand the `Invoke automation without an assumed role` section to see detailed steps. + * Attach the **AWSEC2VssRestorePolicy** managed policy to the invoker role that initiates the automation execution, without specifying the `AutomationAssumeRole` parameter. For example, if you start the automation execution from the AWS console, the console role acts as the invoker role. Expand the `Invoke automation without an assumed role` section to see detailed steps. @@ -203 +70 @@ You can choose from the following options to attach your policy to the role that - 5. Search for the name of the policy that you created for the database restore runbook. Select the check box next to the name and then choose **Next**. This takes you to the **Name, review, and create** page. + 5. Search for **AWSEC2VssRestorePolicy**. Select the check box next to the name and then choose **Next**. This takes you to the **Name, review, and create** page. @@ -249 +116 @@ Copy the **Role ARN** from the **Summary** panel to use in the next steps, then - 4. Use the search bar in the **Other permissions policies** panel to search for the name of the policy that you created for the database restore runbook. Select the check box next to the name and then choose **Add permissions**. + 4. Use the search bar in the **Other permissions policies** panel to search for **AWSEC2VssRestorePolicy**. Select the check box next to the name and then choose **Add permissions**.