AWS devopsagent documentation change
Summary
Replaced 'Knowledge management actions' with expanded 'Asset management actions' including file-level operations, added new 'Access token management actions' section, updated IAM policy examples to use asset actions instead of knowledge actions, added Transcribe and Security Hub permissions to service roles.
Security assessment
The changes enhance documentation of IAM permissions for asset management and introduce new access token management actions, improving security documentation. The addition of securityhub:GetFindings and access token controls explicitly documents security-related permissions. However, there's no evidence these changes fix an existing vulnerability; they appear to be feature updates and documentation improvements.
Diff
diff --git a/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md b/devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md index 68948b84f..e309c1f37 100644 --- a//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md +++ b//devopsagent/latest/userguide/aws-devops-agent-security-devops-agent-iam-permissions.md @@ -7 +7 @@ -Agent Space management actionsInvestigation and execution actionsChat management actionsTopology and discovery actionsPrevention and recommendation actionsBacklog task management actionsKnowledge management actionsAWS Support integration actionsUsage and monitoring actionsCommon IAM policy examplesUsing service-linked roles for AWS DevOps AgentAWS Managed policies for AWS DevOps Agent +Agent Space management actionsInvestigation and execution actionsChat management actionsTopology and discovery actionsPrevention and recommendation actionsBacklog task management actionsAsset management actionsAWS Support integration actionsAccess token management actionsUsage and monitoring actionsCommon IAM policy examplesUsing service-linked roles for AWS DevOps AgentAWS Managed policies for AWS DevOps Agent @@ -89 +89 @@ These actions control the ability to manage recommendations as backlog tasks: -## Knowledge management actions +## Asset management actions @@ -91 +91 @@ These actions control the ability to manage recommendations as backlog tasks: -These actions control the ability to add and manage custom knowledge that the agent can use during investigations: +These actions control the ability to add and manage assets in an Agent Space, including skills, AGENTS.md files, and attachments. For details on the Asset API, see [Managing Assets](about-aws-devops-agent-managing-assets.html). @@ -93 +93 @@ These actions control the ability to add and manage custom knowledge that the ag - * **aidevops:CreateKnowledgeItem** – Allows users to add custom knowledge items, such as skills, troubleshooting guides, or application-specific information that the agent should reference. + * **aidevops:CreateAsset** – Allows users to create a new asset in an Agent Space, including skills, AGENTS.md files, and attachments. @@ -95 +95 @@ These actions control the ability to add and manage custom knowledge that the ag - * **aidevops:ListKnowledgeItems** – Allows users to view all knowledge items configured for an Agent Space. + * **aidevops:GetAsset** – Allows users to retrieve an asset's metadata and version information. @@ -97 +97 @@ These actions control the ability to add and manage custom knowledge that the ag - * **aidevops:GetKnowledgeItem** – Allows users to retrieve the details of a specific knowledge item. + * **aidevops:UpdateAsset** – Allows users to update the metadata or content of an existing asset. @@ -99 +99 @@ These actions control the ability to add and manage custom knowledge that the ag - * **aidevops:UpdateKnowledgeItem** – Allows users to modify existing knowledge items to keep information current. + * **aidevops:DeleteAsset** – Allows users to delete an asset and all of its files from an Agent Space. @@ -101 +101,17 @@ These actions control the ability to add and manage custom knowledge that the ag - * **aidevops:DeleteKnowledgeItem** – Allows users to remove knowledge items that are no longer relevant. + * **aidevops:ListAssets** – Allows users to list assets in an Agent Space, with optional filtering by asset type. + + * **aidevops:ListAssetVersions** – Allows users to list the historical versions of an asset. + + * **aidevops:GetAssetContent** – Allows users to download an asset's full content as a zip bundle. + + * **aidevops:CreateAssetFile** – Allows users to add a new file to an existing asset. + + * **aidevops:GetAssetFile** – Allows users to retrieve a single file from an asset by its path. + + * **aidevops:UpdateAssetFile** – Allows users to replace the content or metadata of an existing file in an asset. + + * **aidevops:DeleteAssetFile** – Allows users to remove a single file from an asset. + + * **aidevops:ListAssetFiles** – Allows users to list the files within an asset. + + * **aidevops:ListAssetTypes** – Allows users to list the asset types supported by AWS DevOps Agent. This action is not scoped to a specific Agent Space and requires `Resource: "*"`. @@ -118,0 +135,17 @@ These actions control integration with AWS Support cases: +## Access token management actions + +These actions control access to access token operations for remote MCP and A2A server authentication: + + * **aidevops:CreateAccessToken** – Allows users to create access tokens for an Agent Space. + + * **aidevops:GetAccessToken** – Allows users to view access token details. + + * **aidevops:ListAccessTokens** – Allows users to list access tokens in an Agent Space. + + * **aidevops:RotateAccessToken** – Allows users to rotate an access token, generating a new value while preserving configuration. + + * **aidevops:RevokeAccessToken** – Allows users to revoke an access token, permanently disabling it. + + + + @@ -170,2 +203,7 @@ This policy grants access to investigation and prevention features without admin - "aidevops:ListKnowledgeItems", - "aidevops:GetKnowledgeItem", + "aidevops:ListAssets", + "aidevops:ListAssetVersions", + "aidevops:ListAssetFiles", + "aidevops:ListAssetTypes", + "aidevops:GetAsset", + "aidevops:GetAssetContent", + "aidevops:GetAssetFile", @@ -178,2 +216,4 @@ This policy grants access to investigation and prevention features without admin - "aidevops:CreateKnowledgeItem", - "aidevops:UpdateKnowledgeItem", + "aidevops:CreateAsset", + "aidevops:CreateAssetFile", + "aidevops:UpdateAsset", + "aidevops:UpdateAssetFile", @@ -208,2 +248,7 @@ This policy grants view-only access to investigations and recommendations: - "aidevops:ListKnowledgeItems", - "aidevops:GetKnowledgeItem", + "aidevops:ListAssets", + "aidevops:ListAssetVersions", + "aidevops:ListAssetFiles", + "aidevops:ListAssetTypes", + "aidevops:GetAsset", + "aidevops:GetAssetContent", + "aidevops:GetAssetFile", @@ -350 +395 @@ Provides full access to Amazon DevOps Agent via the AWS Management Console - "Sid": "AIDevOpsKnowledgeAccess", + "Sid": "AIDevOpsAssetAccess", @@ -353,6 +398,13 @@ Provides full access to Amazon DevOps Agent via the AWS Management Console - "aidevops:CreateKnowledgeItem", - "aidevops:DeleteKnowledgeItem", - "aidevops:GetKnowledgeItem", - "aidevops:ListKnowledgeItems", - "aidevops:ListKnowledgeItemVersions", - "aidevops:UpdateKnowledgeItem" + "aidevops:CreateAsset", + "aidevops:CreateAssetFile", + "aidevops:DeleteAsset", + "aidevops:DeleteAssetFile", + "aidevops:GetAsset", + "aidevops:GetAssetContent", + "aidevops:GetAssetFile", + "aidevops:ListAssets", + "aidevops:ListAssetFiles", + "aidevops:ListAssetTypes", + "aidevops:ListAssetVersions", + "aidevops:UpdateAsset", + "aidevops:UpdateAssetFile" @@ -479,6 +531,13 @@ Provides access to use the AWS DevOps operator web app for an Agent Space. - "aidevops:CreateKnowledgeItem", - "aidevops:ListKnowledgeItems", - "aidevops:ListKnowledgeItemVersions", - "aidevops:GetKnowledgeItem", - "aidevops:UpdateKnowledgeItem", - "aidevops:DeleteKnowledgeItem", + "aidevops:CreateAsset", + "aidevops:CreateAssetFile", + "aidevops:ListAssets", + "aidevops:ListAssetVersions", + "aidevops:ListAssetFiles", + "aidevops:ListAssetTypes", + "aidevops:GetAsset", + "aidevops:GetAssetContent", + "aidevops:GetAssetFile", + "aidevops:UpdateAsset", + "aidevops:UpdateAssetFile", + "aidevops:DeleteAsset", + "aidevops:DeleteAssetFile", @@ -542,0 +602,13 @@ Provides access to use the AWS DevOps operator web app for an Agent Space. + }, + { + "Sid": "AllowTranscribeOperatorActions", + "Effect": "Allow", + "Action": [ + "transcribe:StartStreamTranscriptionWebSocket" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } @@ -906,0 +979 @@ Provides permissions required by the AWS DevOps Agent to conduct investigations + "health:DescribeAffectedEntities", @@ -1255,0 +1329 @@ Provides permissions required by the AWS DevOps Agent to conduct investigations + "securityhub:GetFindings",