AWS notifications documentation change
Summary
Added two new IAM policy examples: Example 6 (full read-write access with explicit actions) and Example 7 (resource-scoped access for managed notifications demonstrating least-privilege principles).
Security assessment
The change adds documentation about security features (IAM policies) but does not indicate any security vulnerability, incident, or weakness being addressed. It provides additional examples for configuring permissions, including a least-privilege example, which is a security best practice.
Diff
diff --git a/notifications/latest/userguide/resource-level-permissions.md b/notifications/latest/userguide/resource-level-permissions.md index 18ee5c930..3572fde28 100644 --- a//notifications/latest/userguide/resource-level-permissions.md +++ b//notifications/latest/userguide/resource-level-permissions.md @@ -7 +7 @@ -Supported resource-level permissions for User Notifications API actionsExample 1: Full accessExample 2: ReadOnly accessExample 3: Deny a user the ability to update a notification configurationExample 4: Allow users to create notification configurations and associate emails to themExample 5: Allow users full create, read, update, and delete (CRUD) access. +Supported resource-level permissions for User Notifications API actionsExample 1: Full accessExample 2: ReadOnly accessExample 3: Deny a user the ability to update a notification configurationExample 4: Allow users to create notification configurations and associate emails to themExample 5: Allow users full create, read, update, and delete (CRUD) access.Example 6: Full read-write access with explicit actionsExample 7: Resource-scoped access for managed notifications @@ -202,0 +203,110 @@ JSON +## Example 6: Full read-write access with explicit actions + +This policy grants a user full read-write access to AWS User Notifications by listing all individual actions explicitly. This includes user-configured notifications, managed notifications, organizations, and tagging permissions. + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "UserNotificationsReadWrite", + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "notifications:RegisterNotificationHub", + "notifications:DeregisterNotificationHub", + "notifications:ListNotificationHubs", + "notifications:CreateNotificationConfiguration", + "notifications:UpdateNotificationConfiguration", + "notifications:GetNotificationConfiguration", + "notifications:DeleteNotificationConfiguration", + "notifications:ListNotificationConfigurations", + "notifications:CreateEventRule", + "notifications:UpdateEventRule", + "notifications:GetEventRule", + "notifications:DeleteEventRule", + "notifications:ListEventRules", + "notifications:AssociateChannel", + "notifications:DisassociateChannel", + "notifications:ListChannels", + "notifications:GetNotificationEvent", + "notifications:ListNotificationEvents", + "notifications:GetManagedNotificationConfiguration", + "notifications:ListManagedNotificationConfigurations", + "notifications:ListManagedNotificationChannelAssociations", + "notifications:AssociateManagedNotificationAccountContact", + "notifications:DisassociateManagedNotificationAccountContact", + "notifications:AssociateManagedNotificationAdditionalChannel", + "notifications:DisassociateManagedNotificationAdditionalChannel", + "notifications:GetManagedNotificationEvent", + "notifications:ListManagedNotificationEvents", + "notifications:GetManagedNotificationChildEvent", + "notifications:ListManagedNotificationChildEvents", + "notifications:EnableNotificationsAccessForOrganization", + "notifications:DisableNotificationsAccessForOrganization", + "notifications:AssociateOrganizationalUnit", + "notifications:DisassociateOrganizationalUnit", + "notifications:ListOrganizationalUnits", + "notifications:ListMemberAccounts", + "notifications:GetNotificationsAccessForOrganization", + "notifications:TagResource", + "notifications:ListTagsForResource", + "notifications:UntagResource", + "notifications-contacts:CreateEmailContact", + "notifications-contacts:SendActivationCode", + "notifications-contacts:ActivateEmailContact", + "notifications-contacts:DeleteEmailContact", + "notifications-contacts:GetEmailContact", + "notifications-contacts:ListEmailContacts", + "notifications-contacts:TagResource", + "notifications-contacts:UntagResource", + "notifications-contacts:ListTagsForResource" + ], + "Resource": "*" + } + ] + } + + +## Example 7: Resource-scoped access for managed notifications + +This policy demonstrates least-privilege access by scoping managed notification permissions to a specific category (and optionally a specific sub-category) using resource-level ARNs. Replace the category (and optionally the sub-category) in the ARN to match your use case. This example uses AWS Health managed notifications. + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "ScopedManagedNotifications", + "Effect": "Allow", + "Action": [ + "notifications:GetManagedNotificationConfiguration", + "notifications:ListManagedNotificationConfigurations", + "notifications:ListManagedNotificationChannelAssociations", + "notifications:AssociateManagedNotificationAccountContact", + "notifications:DisassociateManagedNotificationAccountContact", + "notifications:AssociateManagedNotificationAdditionalChannel", + "notifications:DisassociateManagedNotificationAdditionalChannel", + "notifications:GetManagedNotificationEvent", + "notifications:ListManagedNotificationEvents", + "notifications:GetManagedNotificationChildEvent", + "notifications:ListManagedNotificationChildEvents" + ], + "Resource": "arn:aws::notifications::123456789012:managed-notification-configuration/category/AWS-Health/sub-category/*" + } + ] + } + +