AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2026-06-01 · Security-related medium

File: solutions/latest/spatial-data-management-on-aws/personas-and-permissions-overview.md

Summary

Added 'Consumer' permission level for projects and restricted Viewer permissions

Security assessment

Introduces new security controls: 'Consumer' role for download-only access and explicitly removes file download capability from Viewers. This implements least-privilege access, reducing risk of unauthorized data exfiltration. Directly addresses permission over-provisioning.

Diff

diff --git a/solutions/latest/spatial-data-management-on-aws/personas-and-permissions-overview.md b/solutions/latest/spatial-data-management-on-aws/personas-and-permissions-overview.md
index 9e1e7d0f6..0c7c9d6e1 100644
--- a//solutions/latest/spatial-data-management-on-aws/personas-and-permissions-overview.md
+++ b//solutions/latest/spatial-data-management-on-aws/personas-and-permissions-overview.md
@@ -9 +9 @@ Business PersonasPermission Model and Access Control
-Spatial Data Management on AWS uses resource-based access control to provide fine-grained permissions management. The solution does not define business personas as fixed roles in the system. Instead, it provides flexible permission levels (Owner, Manager, Contributor, and Viewer) that can be assigned to users on specific resources (libraries, projects, and assets). This approach allows customers to grant appropriate permissions to users based on their actual responsibilities and needs, rather than predefined role assignments. The business personas described in this guide (IT Admin, Project Admin, Asset Creator, and Asset Consumer) represent common user types to help you understand how to apply permissions effectively in your organization.
+Spatial Data Management on AWS uses resource-based access control to provide fine-grained permissions management. The solution does not define business personas as fixed roles in the system. Instead, it provides flexible permission levels (Owner, Manager, Contributor, and Viewer) that can be assigned to users on specific resources (libraries, projects, and assets). Projects also support a Consumer level for download-only access. This approach allows customers to grant appropriate permissions to users based on their actual responsibilities and needs, rather than predefined role assignments. The business personas described in this guide (IT Admin, Project Admin, Asset Creator, and Asset Consumer) represent common user types to help you understand how to apply permissions effectively in your organization.
@@ -69 +69 @@ Any user connected through a Cognito user group (who is not part of `SpatialData
-Each resource supports four permission levels – Owner, Manager, Contributor, and Viewer – that define what actions users can perform within the solution.
+Each resource supports permission levels – Owner, Manager, Contributor, and Viewer – that define what actions users can perform within the solution. Projects also support a Consumer level between Viewer and Contributor for download-only access.
@@ -79 +79,3 @@ The permission levels provide the following access:
-  * **Viewer** – Can view the resource and child resources only
+  * **Consumer** (Projects only) – Can view and download file content, but cannot create or modify resources
+
+  * **Viewer** – Can view resource metadata only. On Projects, cannot download file content