AWS transform documentation change
Summary
Updated IAM permissions section to recommend AWS managed policies instead of inline policy, added references to specific managed policies for granular access control, and removed the inline IAM policy example.
Security assessment
This change improves security documentation by promoting AWS managed policies (AWSTransformCustomFullAccess, AWSTransformCustomExecuteTransformations, AWSTransformCustomManageTransformations) which follow security best practices. It removes a wildcard policy example ('transform-custom:*') that could lead to over-permissive access, reducing potential security risks from excessive permissions. No evidence of addressing a specific security vulnerability.
Diff
diff --git a/transform/latest/userguide/custom-get-started.md b/transform/latest/userguide/custom-get-started.md index 541ea4aea..d2168f10a 100644 --- a//transform/latest/userguide/custom-get-started.md +++ b//transform/latest/userguide/custom-get-started.md @@ -0,0 +1,2 @@ +[View a markdown version of this page](custom-get-started.md) + @@ -104 +106,7 @@ Configure credentials in `~/.aws/credentials`: -Your AWS credentials must have permissions to call the AWS Transform service. At minimum, you need `transform-custom:*` permissions. +Your AWS credentials must have permissions to call the AWS Transform custom service. We recommend attaching the [AWSTransformCustomFullAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-AWSTransformCustomFullAccess) AWS managed policy to your IAM user or role. This policy provides full access to AWS Transform custom, including the permission to create the [service-linked role](./using-service-linked-roles.html#using-service-linked-roles-custom) required for CloudWatch metrics emission to your account. + +For more granular control, AWS Transform custom also provides the following AWS managed policies: + + * [AWSTransformCustomExecuteTransformations](./security-iam-awsmanpol.html#security-iam-awsmanpol-AWSTransformCustomExecuteTransformations) – Provides access to execute transformations. + + * [AWSTransformCustomManageTransformations](./security-iam-awsmanpol.html#security-iam-awsmanpol-AWSTransformCustomManageTransformations) – Provides access to create, update, read, and delete transformation resources, as well as execute transformations. @@ -106 +113,0 @@ Your AWS credentials must have permissions to call the AWS Transform service. At -The following IAM policy provides full access to AWS Transform custom: @@ -109,12 +115,0 @@ The following IAM policy provides full access to AWS Transform custom: - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "transform-custom:*" - ], - "Resource": "*" - } - ] - } @@ -122 +117 @@ The following IAM policy provides full access to AWS Transform custom: -For more granular control, please refer to the [AWS Transform Custom IAM Service Authorization Reference Guide](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransformcustom.html) +For more information about these policies, see [AWS managed policies for AWS Transform](./security-iam-awsmanpol.html). For custom IAM policies with resource-level permissions, refer to the [AWS Transform Custom IAM Service Authorization Reference Guide](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransformcustom.html).