AWS amazondynamodb high security documentation change
Summary
Changed DynamoDB permissions for unauthenticated Cognito users from full access to read-only, adding explanation about least privilege principle
Security assessment
Reducing permissions from AmazonDynamoDBFullAccess to AmazonDynamoDBReadOnlyAccess explicitly follows security best practices by limiting unauthenticated users to read operations only, preventing potential data modification/deletion risks
Diff
diff --git a/amazondynamodb/latest/developerguide/Cognito.Credentials.md b/amazondynamodb/latest/developerguide/Cognito.Credentials.md index bef95e0fc..54fdf05e4 100644 --- a//amazondynamodb/latest/developerguide/Cognito.Credentials.md +++ b//amazondynamodb/latest/developerguide/Cognito.Credentials.md @@ -62 +62 @@ JSON - 4. Grant the `Cognito_DynamoPoolUnauth` role full access to DynamoDB by attaching a managed policy (`AmazonDynamoDBFullAccess`). + 4. Grant the `Cognito_DynamoPoolUnauth` role read-only access to DynamoDB by attaching a managed policy (`AmazonDynamoDBReadOnlyAccess`). Because this role is assumed by unauthenticated users, follow the principle of least privilege and grant only the permissions the role actually needs. @@ -64 +64 @@ JSON - aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess \ + aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess \