AWS resilience-hub documentation change
Summary
Removed documentation for the AWSResilienceHubV2AssessmentExecutionPolicy IAM policy, including its permissions details and full policy JSON. Also fixed a typo in the policy name reference.
Security assessment
The change removes documentation about a specific IAM policy but doesn't reference any security vulnerability, incident, or weakness. Policy removal could indicate reduced permissions, but without explicit security context (like CVE reference or vulnerability disclosure), this appears to be routine documentation cleanup. No security features were added.
Diff
diff --git a/resilience-hub/latest/userguide/security-iam-awsmanpol.md b/resilience-hub/latest/userguide/security-iam-awsmanpol.md index c3db546f6..26ce9d78f 100644 --- a//resilience-hub/latest/userguide/security-iam-awsmanpol.md +++ b//resilience-hub/latest/userguide/security-iam-awsmanpol.md @@ -7 +7 @@ -AWSResilienceHubAsssessmentExecutionPolicyAWSResilienceHubV2AssessmentExecutionPolicyPolicy updates +AWSResilienceHubAsssessmentExecutionPolicyPolicy updates @@ -104,349 +103,0 @@ The following IAM policy is required for an AWS account to add permissions for u -## AWSResilienceHubV2AssessmentExecutionPolicy - -You can attach the `AWSResilienceHubV2AssessmentExecutionPolicy` to your IAM identities. While running an assessment, this policy grants read-only access permissions to other AWS services for resilience discovery, assessment, and management. - -### Permission details - -This policy grants wildcarded read-only permissions that might include sensitive information in the output. - -This policy includes the following permissions: - - * Amazon CloudWatch (CloudWatch) – Provides `Describe`, `Get`, and `List` permissions for CloudWatch resources that are associated with your AWS account. - - * AWS CloudFormation – Provides `Describe`, `Get`, and `List` permissions for AWS CloudFormation resources that are associated with your AWS account. - - * Amazon Elastic Compute Cloud (Amazon EC2) – Provides specific `Describe` permissions for Amazon EC2 resources that are associated with your AWS account. - - * Amazon Elastic Container Service (Amazon ECS) – Provides `Describe` and `List` permissions for Amazon ECS resources that are associated with your AWS account. - - * Amazon Elastic Kubernetes Service (Amazon EKS) – Provides `Describe` and `List` permissions for Amazon EKS resources that are associated with your AWS account. - - * Amazon Elastic Container Registry (Amazon ECR) – Provides `Describe` permissions for Amazon ECR resources that are associated with your AWS account. - - * Amazon Elastic File System (Amazon EFS) – Provides `Describe` permissions for Amazon EFS resources that are associated with your AWS account. - - * Amazon ElastiCache (ElastiCache) – Provides `Describe` permissions for ElastiCache resources that are associated with your AWS account. - - * Elastic Load Balancing – Provides `Describe` permissions for Elastic Load Balancing resources that are associated with your AWS account. - - * Amazon DynamoDB (DynamoDB) – Provides `Describe` and `List` permissions for DynamoDB resources that are associated with your AWS account. - - * Amazon RDS – Provides `Describe` permissions for Amazon RDS resources that are associated with your AWS account. - - * Amazon DocumentDB – Provides `Describe` and `List` permissions for Amazon DocumentDB resources that are associated with your AWS account. - - * AWS Lambda (Lambda) – Provides specific `Get` and `List` permissions for Lambda resources that are associated with your AWS account. - - * AWS Step Functions – Provides `Describe` and `List` permissions for AWS Step Functions resources that are associated with your AWS account. - - * IAM – Provides specific `Get` and `List` permissions for IAM resources that are associated with your AWS account. - - * Amazon Simple Notification Service (Amazon SNS) – Provides `Get` and `List` permissions for Amazon SNS resources that are associated with your AWS account. - - * Amazon Simple Queue Service (Amazon SQS) – Provides `Get` and `List` permissions for Amazon SQS resources that are associated with your AWS account. - - * Amazon Simple Storage Service (Amazon S3) – Provides `Get` and `List` permissions for Amazon S3 resources that are associated with your AWS account. The Amazon S3 permissions in the `AWSResilienceHubS3AccessStatement` are restricted to resources in the same account by using the `aws:ResourceAccount` condition key. - - * Amazon Route 53 (Route 53) – Provides `Get` and `List` permissions for Route 53 resources, including Route 53 Application Recovery Controller resources, that are associated with your AWS account. - - * Amazon EC2 Systems Manager (SSM) – Provides `Describe` and `Get` permissions for SSM resources that are associated with your AWS account. - - * Amazon EC2 Auto Scaling – Provides `Describe` permissions for Amazon EC2 Auto Scaling resources that are associated with your AWS account. - - * AWS Backup – Provides `Describe`, `Get`, and `List` permissions for AWS Backup resources that are associated with your AWS account. - - * AWS Elastic Disaster Recovery (Elastic Disaster Recovery) – Provides `Describe` permissions for Elastic Disaster Recovery resources that are associated with your AWS account. - - * AWS Fault Injection Service (AWS FIS) – Provides `Get` and `List` permissions for AWS FIS experiments and experiment templates that are associated with your AWS account. - - * Amazon FSx for Windows File Server (Amazon FSx) – Provides `Describe` permissions for Amazon FSx resources that are associated with your AWS account. - - * Amazon Data Lifecycle Manager – Provides `Get` permissions for Amazon Data Lifecycle Manager resources that are associated with your AWS account. - - * AWS DataSync – Provides `Describe` and `List` permissions for AWS DataSync resources that are associated with your AWS account. - - * AWS Resource Groups (Resource Groups) – Provides `Get` and `List` permissions for Resource Groups resources that are associated with your AWS account. - - * AWS Service Catalog (Service Catalog) – Provides `Get` and `List` permissions for Service Catalog resources that are associated with your AWS account. - - * Amazon API Gateway – Provides `GET` permissions scoped to specific resource ARN patterns for REST APIs, HTTP APIs, usage plans, and domain names. - - * Amazon Kinesis – Provides `Describe` and `List` permissions for Kinesis resources that are associated with your AWS account. - - * Amazon Kinesis Data Firehose – Provides `Describe` and `List` permissions for Kinesis Data Firehose resources that are associated with your AWS account. - - * Amazon EventBridge – Provides `Describe` and `List` permissions for EventBridge resources that are associated with your AWS account. - - * Amazon MSK – Provides `Describe`, `Get`, and `List` permissions for Amazon MSK and MSK Connect resources that are associated with your AWS account. - - * Amazon MemoryDB – Provides `Describe` permissions for MemoryDB resources that are associated with your AWS account. - - * Amazon Redshift – Provides `Describe` permissions for Redshift resources that are associated with your AWS account. - - * AWS Global Accelerator – Provides `Describe` and `List` permissions for Global Accelerator resources that are associated with your AWS account. - - * AWS Network Firewall – Provides `Describe` and `List` permissions for Network Firewall resources that are associated with your AWS account. - - * AWS Shield – Provides `Describe` and `List` permissions for Shield resources that are associated with your AWS account. - - * AWS WAF V2 – Provides `Get` and `List` permissions for WAF V2 resources that are associated with your AWS account. - - * AWS Resource Access Manager – Provides `Get` and `List` permissions for RAM resources that are associated with your AWS account. - - * Amazon VPC Lattice – Provides `Get` and `List` permissions for VPC Lattice resources that are associated with your AWS account. - - * AWS Config – Provides `Describe` and `List` permissions for Config resources that are associated with your AWS account. - - * Amazon CloudFront – Provides `Get` and `List` permissions for CloudFront resources that are associated with your AWS account. - - * AWS Secrets Manager – Provides `Describe` and `List` permissions for Secrets Manager resources that are associated with your AWS account. - - * AWS Directory Service – Provides `Describe` permissions for Directory Service resources that are associated with your AWS account. - - * Amazon DSQL – Provides `Get` and `List` permissions for DSQL resources that are associated with your AWS account. - - * Amazon QLDB – Provides `Describe` and `List` permissions for QLDB resources that are associated with your AWS account. - - * AWS Certificate Manager – Provides `Describe`, `Get`, and `List` permissions for ACM resources that are associated with your AWS account. - - * Application Auto Scaling – Provides `Describe` permissions for Application Auto Scaling resources that are associated with your AWS account. - - * SSM Incidents – Provides `Get` and `List` permissions for SSM Incidents resources that are associated with your AWS account. - - * Tag – Provides `GetResources` permission for querying tagged resources that are associated with your AWS account. - - - - -The following IAM policy provides required permissions for AWS Resilience Hub to access other AWS services while running assessments. - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AWSResilienceHubV2ReadResourceConfigStatement", - "Effect": "Allow", - "Action": [ - "acm:DescribeCertificate", - "acm:GetCertificate", - "acm:ListCertificates", - "application-autoscaling:DescribeScalableTargets", - "application-autoscaling:DescribeScalingPolicies", - "arc-region-switch:GetRegionSwitchStatus", - "arc-region-switch:ListRegionSwitchAZSummaries", - "arc-zonal-shift:GetManagedResource", - "arc-zonal-shift:ListManagedResources", - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "backup:DescribeBackupVault", - "backup:GetBackupPlan", - "backup:GetBackupSelection", - "backup:ListBackupPlans", - "backup:ListBackupSelections", - "cloudformation:DescribeStacks", - "cloudformation:GetTemplate", - "cloudformation:ListStackResources", - "cloudfront:GetDistribution", - "cloudfront:ListDistributions", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricData", - "cloudwatch:ListMetrics", - "config:DescribeConfigRules", - "config:ListDiscoveredResources", - "datasync:DescribeTask", - "datasync:ListLocations", - "datasync:ListTasks", - "dlm:GetLifecyclePolicies", - "dlm:GetLifecyclePolicy", - "docdb-elastic:GetCluster", - "docdb-elastic:ListClusters", - "drs:DescribeJobs", - "drs:DescribeSourceServers", - "drs:GetReplicationConfiguration", - "ds:DescribeDirectories", - "dsql:GetCluster", - "dsql:ListClusters", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeGlobalTable", - "dynamodb:DescribeTable", - "dynamodb:ListGlobalTables", - "dynamodb:ListTagsOfResource", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeFastSnapshotRestores", - "ec2:DescribeFleets", - "ec2:DescribeInstances", - "ec2:DescribeNatGateways", - "ec2:DescribeRegions", - "ec2:DescribeSnapshots", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ecr:DescribeRepositories", - "ecs:DescribeCapacityProviders", - "ecs:DescribeClusters", - "ecs:DescribeContainerInstances", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:ListContainerInstances", - "ecs:ListServices", - "eks:DescribeCluster",