AWS dms documentation change
Summary
Added account-based conditions to S3 permissions and updated SecretsManager ARNs with region/account specifics in example policies.
Security assessment
The changes enhance example IAM policies by adding 'aws:ResourceAccount' conditions to S3 permissions and making SecretsManager ARNs more specific. This demonstrates security best practices for least-privilege access but doesn't fix an existing vulnerability.
Diff
diff --git a/dms/latest/userguide/set-up.md b/dms/latest/userguide/set-up.md index c73f79db7..5cbf44c21 100644 --- a//dms/latest/userguide/set-up.md +++ b//dms/latest/userguide/set-up.md @@ -49,0 +50,3 @@ Role name | Permissions policy +**** + + @@ -61 +64,6 @@ Role name | Permissions policy - "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } @@ -70 +78,6 @@ Role name | Permissions policy - "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" + "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + } + } @@ -76,0 +91,3 @@ Role name | Permissions policy +**** + + @@ -87 +104 @@ Role name | Permissions policy - "Resource": "arn:aws:secretsmanager:region:111122223333:secret:sc-source-secret*" + "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:sc-source-secret*" @@ -93,0 +112,3 @@ Role name | Permissions policy +**** + + @@ -104 +125 @@ Role name | Permissions policy - "Resource": "arn:aws:secretsmanager:region:111122223333:secret:sc-target-secret*" + "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:sc-target-secret*" @@ -113,0 +136,3 @@ Each role requires the following trust policy: +**** + +