AWS Security ChangesHomeSearch

AWS mwaa medium security documentation change

Service: mwaa · 2026-07-07 · Security-related medium

File: mwaa/latest/userguide/connections-secrets-manager.md

Summary

Updated IAM policy example to restrict Secrets Manager permissions to GetSecretValue only, added warnings about ListSecrets wildcard risks, and included optional DescribeSecret guidance.

Security assessment

Explicitly reduces permissions from multiple actions to only GetSecretValue, documents security risk of ListSecrets wildcard (exposing all secrets), and provides mitigation guidance. Directly addresses least privilege security best practices.

Diff

diff --git a/mwaa/latest/userguide/connections-secrets-manager.md b/mwaa/latest/userguide/connections-secrets-manager.md
index 3331c6b59..8e96dc02b 100644
--- a//mwaa/latest/userguide/connections-secrets-manager.md
+++ b//mwaa/latest/userguide/connections-secrets-manager.md
@@ -64,6 +64 @@ The [execution role](./mwaa-create-role.html) for your Amazon MWAA environment n
-If you do not want to use an AWS-managed permission policy, you can directly update your environment's execution role to allow any level of access to your Secrets Manager resources. For example, the following policy statement grants read access to all secrets you create in a specific AWS Region in Secrets Manager.
-
-JSON
-    
-
-****
+If you do not want to use an AWS-managed permission policy, you can directly update your environment's execution role to allow any level of access to your Secrets Manager resources. The following JSON policy grants read access to all secrets in a specific AWS Region. Replace ``us-east-1`` with your Region, and replace ``111122223333`` with your AWS account ID:
@@ -70,0 +66 @@ JSON
+###### Example – IAM policy for Secrets Manager read access
@@ -79,4 +75 @@ JSON
-                    "secretsmanager:GetResourcePolicy",
-                    "secretsmanager:GetSecretValue",
-                    "secretsmanager:DescribeSecret",
-                    "secretsmanager:ListSecretVersionIds"
+                    "secretsmanager:GetSecretValue"
@@ -93,0 +87,7 @@ JSON
+###### Wildcard resource for ListSecrets
+
+The preceding policy grants `ListSecrets` access to all secrets (`"Resource": "*"`). `ListSecrets` does not support resource-level permissions, so the wildcard is required. If you use this policy in production, any principal that assumes this role can list every secret in your account. Restrict the role's trust policy and other permissions to limit the scope of access.
+
+###### Optional: DescribeSecret permission
+
+If your provider version checks for secret existence before retrieval, add `secretsmanager:DescribeSecret`. This permission might also reduce `ResourceNotFoundException` errors in your logs.