Updates AWS managed policies

[udondan]

Updates AWS managed policies

Summary by CodeRabbit

• New Features

  • Expanded permissions for AWS Audit Manager, AWS Backup, and AWS Config roles, enhancing their capabilities.
  • Introduced new IAM policies for managing AWS Directory Service and enhanced permissions for AWS Data Exchange.
  • Added permissions for managing ElastiCache and improved AWS Support Plans functionality.
  • New policy for AWS Provisioned Capacity Service to manage EC2 resources effectively.

• Bug Fixes

  • Removed outdated permissions from AWS Reachability Analyzer Service Role Policy, streamlining its functionality.

• Documentation

  • Updated IAM policy documentation to reflect new permissions and policies.

[coderabbitai]

Walkthrough

Recent updates to various AWS IAM policies introduce new permissions and modifications aimed at enhancing resource management and security. Key changes include the introduction of new policies for compromised key quarantine and AWS PCS service roles, expanded permissions in the AWS Config and Data Exchange policies, and enhancements to policies related to AWS services like Audit Manager and Directory Service. Additionally, new identifiers improve clarity in policy documents, while some permissions were removed to strengthen security measures.

Changes

Files	Change Summary
docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json, docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json, docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json, docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json	New policies introduced for compromised key quarantine, AWS PCS service role management, and AWS Directory Service data access, defining specific permissions and actions.
docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json, docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json, docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json, docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json	Expanded permissions across multiple services (e.g., Audit Manager, Config, Data Exchange) and added specific actions to enhance operational capabilities and security management.
docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json	Introduced new permission for listing S3 access grants, enhancing the management of permissions in AWS environments.
docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json	Removed permissions related to Global Accelerator, tightening security by limiting the role's interaction with those resources.
docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json	Modified permissions related to RDS automated backups, focusing on deletion actions rather than modification.
docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json	Added a wide range of new permissions across various AWS services, enhancing operational capabilities and management of resources.

Possibly related PRs

• Updates AWS managed policies #711: Updates to AWSAuditManagerServiceRolePolicy.json include adding permissions, similar to the main PR's addition of "bedrock:ListGuardrails".
• Updates AWS managed policies #755: Adds various SageMaker-related actions to AWSAuditManagerServiceRolePolicy.json, which is relevant to the main PR's focus on permissions.
• Updates AWS managed policies #800: Changes to AWSIAMIdentityCenterAllowListForIdentityContext.json introduce new permissions that may overlap with those added in the main PR.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (4)

docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (1)

24-37: Conditions for Tagging Correctly Implemented in Notebook Policy, Inconsistencies Found Elsewhere

The conditions for tagging in AwsGlueSessionUserRestrictedNotebookPolicy.json are correctly implemented using "aws:PrincipalTag/owner". However, other policy files such as AwsGlueSessionUserRestrictedPolicy.json and AwsGlueSessionUserRestrictedServiceRole.json use "${aws:userid}" instead, which may not align with the intended policy structure.

• Ensure consistent use of "aws:PrincipalTag/owner" across all policies if that's the intended condition.
• Review and update other policy files for consistency if required.

Analysis chain

Ensure conditions for tagging are correctly implemented.

The new "AllowGlueTaggingAction" statement allows tagging resources with strict conditions based on the owner tag. This change enhances security by ensuring only authorized users can tag resources. Verify that the conditions are correctly implemented and that the necessary tags are applied to all relevant resources and principals.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the conditions for tagging are correctly implemented.

# Test: Search for the usage of `AllowGlueTaggingAction`. Expect: Correct implementation of conditions.
rg --type json $'AllowGlueTaggingAction'

Length of output: 529

---

Script:

#!/bin/bash
# Extract and display the condition sections for "AllowGlueTaggingAction" across relevant policy files
rg --type json -A 10 '"Sid": "AllowGlueTaggingAction"' docs/source/_static/managed-policies/

Length of output: 5125

docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1)

43-56: Inconsistent Tagging Conditions in "AllowGlueTaggingAction"

The conditions for "AllowGlueTaggingAction" vary across different policy files. Ensure consistent implementation of conditions using ${aws:PrincipalTag/owner} if that is the intended approach:

• AwsGlueSessionUserRestrictedServiceRole.json and AwsGlueSessionUserRestrictedPolicy.json use ${aws:userid}.
• AwsGlueSessionUserRestrictedNotebookServiceRole.json and AwsGlueSessionUserRestrictedNotebookPolicy.json use ${aws:PrincipalTag/owner}.

Verify and standardize the conditions to align with the intended security model.

Analysis chain

Verify tagging conditions in "AllowGlueTaggingAction".

The new "AllowGlueTaggingAction" statement introduces tagging permissions with conditions based on the owner tag. This ensures that only authorized users can tag resources. Verify that the conditions are correctly implemented and enforced across all relevant resources and principals.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify tagging conditions in "AllowGlueTaggingAction".

# Test: Search for the usage of `AllowGlueTaggingAction`. Expect: Correct implementation of conditions.
rg --type json $'AllowGlueTaggingAction'

Length of output: 529

---

Script:

#!/bin/bash
# Description: Extract and review the conditions associated with "AllowGlueTaggingAction" in relevant JSON files.

# Extract the relevant sections from each JSON file where "AllowGlueTaggingAction" is defined.
for file in $(rg --files-with-matches --type json "AllowGlueTaggingAction"); do
  echo "File: $file"
  rg -A 10 '"Sid": "AllowGlueTaggingAction"' "$file"
  echo "-------------------------"
done

Length of output: 3223

docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (2)

Restrict KMS Permissions to Necessary Resources

The AWSDataExchangeProviderFullAccess.json policy file contains multiple instances of broad permissions with "Resource": "". Specifically, the "KMSActions" SID allows key management operations on all KMS keys. To enhance security, consider scoping these permissions to specific resources rather than using "". This will help prevent unauthorized access to KMS keys.

• File: docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• Lines with broad permissions: Multiple instances of "Resource": "*"

Analysis chain

Line range hint 124-131:
Review KMSActions SID.

The permissions under "KMSActions" allow for key management operations. Ensure that these permissions are limited to necessary resources to prevent unauthorized key access.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the scope of KMS permissions.

# Test: Search for kms permissions usage. Expect: Limited to necessary resources.
rg --type json $'kms:DescribeKey'

Length of output: 8338

---

Script:

#!/bin/bash
# Description: Check for broad resource permissions in AWSDataExchangeProviderFullAccess.json.

# Search for instances of "Resource": "*" in the specified policy file.
rg --type json '"Resource": "*"' docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json

Length of output: 419

---

Review the scope of APIGatewayActions SID in AWSDataExchangeProviderFullAccess.json

The "APIGatewayActions" SID currently allows the "apigateway:GET" action on all resources ("Resource": "*"). This broad permission could lead to unintended exposure. Consider scoping this permission to specific resources to enhance security.

• File: docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json, Lines: 153-159

Analysis chain

Line range hint 156-161:
Review APIGatewayActions SID.

The "APIGatewayActions" SID allows GET requests on API Gateway. Ensure that this permission is scoped correctly to prevent unintentional exposure.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the scope of API Gateway permissions.

# Test: Search for apigateway permissions usage. Expect: Scoped correctly to prevent exposure.
rg --type json $'apigateway:GET'

Length of output: 3461

---

Script:

#!/bin/bash
# Extract the full context of the "apigateway:GET" permission in AWSDataExchangeProviderFullAccess.json
rg -A 5 -B 5 '"apigateway:GET"' docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json

Length of output: 267

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

docs/source/_static/managed-policies/AmazonECS_FullAccess.json (1)

Security Concern: Unrestricted Role Passing in TasksPassRolePolicy

The TasksPassRolePolicy allows the iam:PassRole action on all resources ("Resource": ["*"]). This can pose a security risk as it enables passing any role to ECS tasks. It is recommended to restrict this policy to specific roles necessary for the tasks to enhance security.

• File: docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• Lines: 153-159

Analysis chain

Line range hint 156-164: Verify restriction and security of role passing.

The TasksPassRolePolicy allows passing roles to ECS tasks. Ensure that this is restricted to necessary roles only to maintain security.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the restriction and security of role passing in `TasksPassRolePolicy`.

# Test: Check for any unintended role passing permissions.
rg --type json '"TasksPassRolePolicy"'

Length of output: 139

---

Script:

#!/bin/bash
# Description: Extract detailed information about the conditions and resources in `TasksPassRolePolicy`.

# Extract the full policy statement for `TasksPassRolePolicy` to verify conditions and resources.
rg --type json -A 5 '"Sid": "TasksPassRolePolicy"' docs/source/_static/managed-policies/AmazonECS_FullAccess.json

Length of output: 249

[coderabbitai]

Actionable comments posted: 6

[coderabbitai]

Refine condition to ensure explicit tag value.

The condition should ensure that the AWSPCSManaged tag is explicitly set to true to avoid unintended actions.

- "Null": {
-   "aws:ResourceTag/AWSPCSManaged": "false"
- }
+ "StringEquals": {
+   "aws:ResourceTag/AWSPCSManaged": "true"
+ }

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "PermissionsToManagePCSLaunchTemplates",
	"Effect": "Allow",
	"Action": [
	"ec2:DeleteLaunchTemplate",
	"ec2:DeleteLaunchTemplateVersions",
	"ec2:CreateLaunchTemplateVersion"
	],
	"Resource": "arn:aws:ec2:*:*:launch-template/*",
	"Condition": {
	"Null": {
	"aws:ResourceTag/AWSPCSManaged": "false"
	}
	}
	},
	"Sid": "PermissionsToManagePCSLaunchTemplates",
	"Effect": "Allow",
	"Action": [
	"ec2:DeleteLaunchTemplate",
	"ec2:DeleteLaunchTemplateVersions",
	"ec2:CreateLaunchTemplateVersion"
	],
	"Resource": "arn:aws:ec2:*:*:launch-template/*",
	"Condition": {
	"StringEquals": {
	"aws:ResourceTag/AWSPCSManaged": "true"
	}
	}

[coderabbitai]

Refine condition to ensure explicit tag value.

The condition should ensure that the AWSPCSManaged tag is explicitly set to true to avoid unintended actions.

- "Null": {
-   "aws:RequestTag/AWSPCSManaged": "false"
- }
+ "StringEquals": {
+   "aws:RequestTag/AWSPCSManaged": "true"
+ }

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "PermissionsToCreatePCSNetworkInterfaces",
	"Effect": "Allow",
	"Action": [
	"ec2:CreateNetworkInterface"
	],
	"Resource": "arn:aws:ec2:*:*:network-interface/*",
	"Condition": {
	"Null": {
	"aws:RequestTag/AWSPCSManaged": "false"
	}
	}
	"Sid": "PermissionsToCreatePCSNetworkInterfaces",
	"Effect": "Allow",
	"Action": [
	"ec2:CreateNetworkInterface"
	],
	"Resource": "arn:aws:ec2:*:*:network-interface/*",
	"Condition": {
	"StringEquals": {
	"aws:RequestTag/AWSPCSManaged": "true"
	}
	}

[coderabbitai]

Refine condition to ensure explicit tag value.

The condition should ensure that the AWSPCSManaged tag is explicitly set to true to avoid unintended actions.

- "Null": {
-   "aws:RequestTag/AWSPCSManaged": "false"
- }
+ "StringEquals": {
+   "aws:RequestTag/AWSPCSManaged": "true"
+ }

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "PermissionsToProvisionClusterInstances",
	"Effect": "Allow",
	"Action": [
	"ec2:RunInstances",
	"ec2:CreateFleet"
	],
	"Resource": [
	"arn:aws:ec2:*:*:instance/*"
	],
	"Condition": {
	"Null": {
	"aws:RequestTag/AWSPCSManaged": "false"
	}
	}
	},
	"Sid": "PermissionsToProvisionClusterInstances",
	"Effect": "Allow",
	"Action": [
	"ec2:RunInstances",
	"ec2:CreateFleet"
	],
	"Resource": [
	"arn:aws:ec2:*:*:instance/*"
	],
	"Condition": {
	"StringEquals": {
	"aws:RequestTag/AWSPCSManaged": "true"
	}
	}

[coderabbitai]

Refine condition to ensure explicit tag value.

The condition should ensure that the AWSPCSManaged tag is explicitly set to true to avoid unintended actions.

- "Null": {
-   "aws:RequestTag/AWSPCSManaged": "false"
- }
+ "StringEquals": {
+   "aws:RequestTag/AWSPCSManaged": "true"
+ }

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "PermissionsToCreatePCSLaunchTemplates",
	"Effect": "Allow",
	"Action": [
	"ec2:CreateLaunchTemplate"
	],
	"Resource": "arn:aws:ec2:*:*:launch-template/*",
	"Condition": {
	"Null": {
	"aws:RequestTag/AWSPCSManaged": "false"
	}
	}
	"Sid": "PermissionsToCreatePCSLaunchTemplates",
	"Effect": "Allow",
	"Action": [
	"ec2:CreateLaunchTemplate"
	],
	"Resource": "arn:aws:ec2:*:*:launch-template/*",
	"Condition": {
	"StringEquals": {
	"aws:RequestTag/AWSPCSManaged": "true"
	}
	}

[coderabbitai]

Refine condition to ensure explicit tag value.

The condition should ensure that the AWSPCSManaged tag is explicitly set to true to avoid unintended actions.

- "Null": {
-   "aws:ResourceTag/AWSPCSManaged": "false"
- }
+ "StringEquals": {
+   "aws:ResourceTag/AWSPCSManaged": "true"
+ }

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "PermissionsToManagePCSNetworkInterfaces",
	"Effect": "Allow",
	"Action": [
	"ec2:DeleteNetworkInterface",
	"ec2:CreateNetworkInterfacePermission"
	],
	"Resource": "arn:aws:ec2:*:*:network-interface/*",
	"Condition": {
	"Null": {
	"aws:ResourceTag/AWSPCSManaged": "false"
	}
	}
	},
	"Sid": "PermissionsToManagePCSNetworkInterfaces",
	"Effect": "Allow",
	"Action": [
	"ec2:DeleteNetworkInterface",
	"ec2:CreateNetworkInterfacePermission"
	],
	"Resource": "arn:aws:ec2:*:*:network-interface/*",
	"Condition": {
	"StringEquals": {
	"aws:ResourceTag/AWSPCSManaged": "true"
	}
	}
	},

[coderabbitai]

Refine condition to ensure explicit tag value.

The condition should ensure that the AWSPCSManaged tag is explicitly set to true to avoid unintended actions.

- "Null": {
-   "aws:ResourceTag/AWSPCSManaged": "false"
- }
+ "StringEquals": {
+   "aws:ResourceTag/AWSPCSManaged": "true"
+ }

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"Sid": "PermissionsToTerminatePCSManagedInstances",
	"Effect": "Allow",
	"Action": [
	"ec2:TerminateInstances"
	],
	"Resource": "arn:aws:ec2:*:*:instance/*",
	"Condition": {
	"Null": {
	"aws:ResourceTag/AWSPCSManaged": "false"
	}
	}
	},
	"Sid": "PermissionsToTerminatePCSManagedInstances",
	"Effect": "Allow",
	"Action": [
	"ec2:TerminateInstances"
	],
	"Resource": "arn:aws:ec2:*:*:instance/*",
	"Condition": {
	"StringEquals": {
	"aws:ResourceTag/AWSPCSManaged": "true"
	}
	}
	},

[coderabbitai]

Actionable comments posted: 1

[coderabbitai]

Security Concern: AWSCompromisedKeyQuarantineV3

The addition of the AWSCompromisedKeyQuarantineV3 policy is correctly implemented. However, the static analysis tool flagged this line as containing a potential security issue related to a generic API key. This is likely a false positive since the policy is designed to deny access to certain actions when an IAM user's credentials are compromised, which is a security feature.

It's important to verify that no sensitive keys or credentials are hardcoded in this policy or elsewhere in the codebase.

Please ensure that no sensitive information or credentials are exposed in the policy definitions or elsewhere. If this is a false positive, you may disregard the security warning from the static analysis tool.

Tools

Gitleaks

1224-1224: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (2)

docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (2)

Line range hint 94-102: Avoid using broad permissions for S3 read actions.

The new statement with SID "S3ReadActions" allows read actions like s3:ListAllMyBuckets on any S3 resource ("Resource": "*"), which seems too permissive. Consider scoping down the Resource to specific buckets or using conditions to restrict the permissions for better security.

---

Line range hint 156-161: Avoid using broad permissions for API Gateway actions.

The new statement with SID "APIGatewayActions" allows the apigateway:GET action on any resource ("Resource": "*"), which seems too permissive. Consider scoping down the Resource to specific API Gateway resources or using conditions to restrict the permissions for better security.

[coderabbitai]

Actionable comments posted: 2

[coderabbitai]

Removal of Action from DenyTagActions

The removal of the glue:TagResource action from the "DenyTagActions" statement is necessary and appropriate. This change prevents potential conflicts between deny and allow rules within the policy, aligning with the new permissions granted under "AllowGlueTaggingAction". This ensures clarity and effectiveness in policy enforcement.

[coderabbitai]

Removal of Action from DenyTagActions

The removal of the glue:TagResource action from the "DenyTagActions" statement in the service role policy is necessary and aligns with the changes in the user policy. This prevents conflicts between deny and allow rules, ensuring effective policy enforcement.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (1)

87-88: Approve read-only permissions following least privilege. Review broad permissions.

The additions of read-only permissions (Get*, Describe*, List*) to various AWS services follow the least privilege principle.

However, the broad permissions granted to many services could be a concern if not actually required for the intended use case. Consider reviewing these broad permissions and removing any unnecessary ones to further tighten the security posture.

Also applies to: 264-264, 324-345, 547-558, 786-802, 1018-1018, 1064-1064, 1143-1144, 1210-1212, 1343-1343, 1637-1638, 2295-2300, 3355-3356, 3368-3374

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (1)

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (1)

149-163: Approve addition of permissions, but consider scoping the Resource.

The added permissions for message template operations in the wisdom service look good functionally. They expand the capabilities of the Amazon Connect service.

However, consider scoping the Resource to specific ARNs (e.g., arn:aws:wisdom:*:*:message-template/*) instead of "*" if possible, to follow the principle of least privilege more closely.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between cf48f06 and d8eb12f.

Files selected for processing (40)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (3 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts (4 hunks)
• lib/generated/aws-managed-policies/iam-floyd.ts (4 hunks)

Files skipped from review due to trivial changes (2)

• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/index.json

Files skipped from review as they are similar to previous changes (35)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts

Additional context used

Gitleaks

lib/generated/aws-managed-policies/iam-floyd.ts

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

Additional comments not posted (10)

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (3)

80-87: LGTM!

The added permissions for customer profile operations look good. They expand the capabilities of the Amazon Connect service in a secure and scoped manner.

---

96-97: LGTM!

The added permission to list object type attributes aligns with the purpose of the statement and is scoped appropriately.

---

195-208: LGTM!

The new permission block for segment definition and snapshot management looks good. It grants necessary permissions scoped to the relevant service and resources to enable segmentation functionality within the Amazon Connect domain.

docs/source/_static/managed-policies/ReadOnlyAccess.json (5)

111-111: LGTM!

The addition of the application-signals:ListServices permission aligns with the purpose of the ReadOnlyAccess policy.

---

224-224: LGTM!

The addition of read-only permissions like bedrock:GetGuardrail and bedrock:ListGuardrails for the bedrock service aligns with the purpose of the ReadOnlyAccess policy.

Also applies to: 240-240

---

273-273: LGTM!

The addition of the budgets:ListTagsForResource permission to list tags for budget resources aligns with the purpose of the ReadOnlyAccess policy.

---

316-326: LGTM!

The addition of read-only permissions like cleanrooms-ml:GetAudienceGenerationJob, cleanrooms-ml:GetAudienceModel, etc. for the cleanrooms-ml service aligns with the purpose of the ReadOnlyAccess policy.

---

904-904: LGTM!

The addition of read-only permissions for various AWS services like glue, iotwireless, ivs, pca-connector-scep, resiliencehub, s3-outposts, ssm-sap, trustedadvisor, and user-subscriptions aligns with the purpose of the ReadOnlyAccess policy to provide read-only access to a wide range of AWS services.

Also applies to: 1094-1094, 1141-1142, 1148-1148, 1155-1155, 1693-1697, 1821-1821, 1836-1836, 1901-1917, 1952-1961, 2051-2061, 2144-2154

lib/generated/aws-managed-policies/iam-floyd.ts (2)

761-762: LGTM!

The code change looks good. It adds a new managed policy for Amazon SageMaker HyperPod with a clear description.

---

1225-1226: LGTM, but please disregard the static analysis finding.

The code change looks good. It adds the AWSCompromisedKeyQuarantineV3 managed policy which is applied by AWS to limit potential damage when IAM user credentials are compromised.

Regarding the Gitleaks finding, this appears to be a false positive. The policy name happens to contain the word "Key" but it is not an actual API key. This is an AWS managed policy name that follows their naming conventions. No sensitive information is being exposed.

So this finding can be safely disregarded. The code change itself is approved.

Tools

Gitleaks

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (1)

docs/source/_static/managed-policies/AmazonECS_FullAccess.json (1)

Line range hint 156-168: Consider restricting the resource to specific IAM roles.

The TasksPassRolePolicy statement allows passing IAM roles to ECS tasks, which is a common requirement for ECS. However, the resource is set to *, which is too permissive and does not follow the least privilege principle.

Consider restricting the resource to specific IAM roles that are required for ECS tasks. For example:

"Resource": [
  "arn:aws:iam::*:role/ecsTaskExecutionRole",
  "arn:aws:iam::*:role/ecsTaskRole"
]

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between d8eb12f and 3670c89.

Files selected for processing (42)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (17 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts (4 hunks)
• lib/generated/aws-managed-policies/iam-floyd.ts (4 hunks)

Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

Files skipped from review due to trivial changes (1)

• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json

Files skipped from review as they are similar to previous changes (33)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/ReadOnlyAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts

Additional context used

Gitleaks

lib/generated/aws-managed-policies/iam-floyd.ts

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

Additional comments not posted (32)

docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (3)

24-37: LGTM!

The new statement AllowGlueTaggingAction follows the principle of least privilege by allowing users to tag resources while still restricting other tagging actions. The conditions ensure that users can only tag resources that they own, which is a good security practice.

---

106-107: LGTM!

The removal of the glue:TagResource action is consistent with the addition of the new statement AllowGlueTaggingAction. The statement still denies other tagging actions such as glue:UntagResource, which is a good security practice.

---

106-107: Verify the role usage in the codebase.

The expanded resource ARN enhances the policy's applicability by including a new role pattern. The condition iam:PassedToService ensures that the role can only be passed to the Glue service, which is a good security practice.

Run the following script to verify the role usage:

Verification successful

---

Role usage verified successfully.

The role pattern AwsGlueSessionUserRestrictedNotebookServiceRole is correctly defined and used in the codebase, specifically in the files lib/generated/aws-managed-policies/iam-floyd.ts and lib/generated/aws-managed-policies/cdk-iam-floyd.ts. The usage aligns with the expected implementation for AWS managed policies. No issues were found.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of the new role pattern in the codebase.

# Test: Search for the role usage. Expect: Only occurrences of the new role pattern.
rg --type-not json $'AwsGlueSessionUserRestrictedNotebookServiceRole'

Length of output: 574

docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8)

Line range hint 5-127: LGTM!

The ECSIntegrationsManagementPolicy statement allows the necessary actions across multiple AWS services that are commonly used with ECS. The resource is set to *, which is appropriate for this policy.

---

Line range hint 128-137: LGTM!

The SSMPolicy statement allows retrieving SSM parameters that are specific to ECS. The resource restriction follows the least privilege principle by allowing access to only the necessary SSM parameters.

---

Line range hint 138-155: LGTM!

The ManagedCloudformationResourcesCleanupPolicy statement allows deleting specific EC2 resources that are created by ECS using CloudFormation. The condition ensures that only the resources created by ECS can be deleted, preventing accidental deletion of other resources.

---

169-180: LGTM!

The InfrastructurePassRolePolicy statement allows passing the ecsInfrastructureRole IAM role to the ECS service, which is a common requirement for ECS. The resource is restricted to a specific IAM role, which follows the least privilege principle. The condition ensures that the IAM role can be passed only to the ECS service, which is a good security practice.

---

Line range hint 182-197: LGTM!

The InstancePassRolePolicy statement allows passing specific IAM roles to the EC2 service, which is a common requirement for ECS. The resource is restricted to IAM roles that start with ecsInstanceRole, which follows the least privilege principle. The condition ensures that the IAM roles can be passed only to the EC2 service, which is a good security practice.

---

Line range hint 198-213: LGTM!

The AutoScalingPassRolePolicy statement allows passing specific IAM roles to the Application Auto Scaling service, which is a common requirement for ECS. The resource is restricted to IAM roles that start with ecsAutoscaleRole, which follows the least privilege principle. The condition ensures that the IAM roles can be passed only to the Application Auto Scaling service, which is a good security practice.

---

Line range hint 214-230: LGTM!

The ServiceLinkedRoleCreationPolicy statement allows creating service-linked roles for specific AWS services, which is a common requirement for ECS. The condition ensures that the service-linked roles can be created only for the specified AWS services, which is a good security practice. The addition of new AWS services is necessary to support the latest features of ECS.

---

Line range hint 231-246: LGTM!

The ELBTaggingPolicy statement allows adding tags to ELB resources, which is a common requirement for ECS. The condition ensures that the tags can be added only when creating specific ELB resources, which is a good security practice. The resource is set to *, which is appropriate for this policy.

docs/source/_static/managed-policies/AWS_ConfigRole.json (14)

32-43: LGTM!

The added permissions for Amazon OpenSearch Service (AOSS) look good. They are necessary for AWS Config to discover and manage AOSS resources.

---

89-89: LGTM!

The added permission DescribeAppBlockBuilders for AWS AppStream looks good. It is necessary for AWS Config to discover and manage AppStream resources.

---

136-145: LGTM!

The added permissions for AWS Backup look good. They are necessary for AWS Config to discover and manage Backup resources.

---

185-189: LGTM!

The added permissions for AWS CloudTrail look good. They are necessary for AWS Config to discover and manage CloudTrail resources.

---

354-354: LGTM!

The added permission DescribeVpcEndpoints for Amazon EC2 looks good. It is necessary for AWS Config to discover and manage VPC endpoint resources.

---

568-574: LGTM!

The added permissions for AWS Glue look good. They are necessary for AWS Config to discover and manage Glue resources.

---

Line range hint 676-693: LGTM!

The added permissions for AWS IoT look good. They are necessary for AWS Config to discover and manage IoT resources.

---

769-782: LGTM!

The added permissions for Amazon IVS look good. They are necessary for AWS Config to discover and manage IVS resources.

---

905-910: LGTM!

The added permissions for AWS Elemental MediaConnect look good. They are necessary for AWS Config to discover and manage MediaConnect resources.

---

917-926: LGTM!

The added permissions for AWS Elemental MediaTailor look good. They are necessary for AWS Config to discover and manage MediaTailor resources.

---

970-971: LGTM!

The added permissions for Amazon Omics look good. They are necessary for AWS Config to discover and manage Omics resources.

---

1256-1257: LGTM!

The added permissions for AWS Scheduler look good. They are necessary for AWS Config to discover and manage Scheduler resources.

---

1308-1308: LGTM!

The added permission ListTagsForResource for AWS Systems Manager for SAP looks good. It is necessary for AWS Config to discover and manage tags for SAP resources.

---

Line range hint 1-1390: Overall permission additions look good!

The permission additions for various AWS services are reasonable and align with the principle of least privilege. They grant the necessary read-only permissions for AWS Config to discover and manage resources across these services. The additions enhance the coverage and functionality of AWS Config without introducing any concerning security risks.

docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (5)

32-43: LGTM!

The additions look good. The new permissions expand the policy to allow AWS Config to access and retrieve metadata about various Amazon OpenSearch Service resources, which is reasonable and consistent.

---

88-88: Looks good!

Adding the permission to describe AppStream app block builders is a reasonable addition to expand AWS Config's visibility into AppStream resources.

---

135-136: Changes look good!

The new permissions related to getting and listing AWS Backup restore testing plans and selections are reasonable additions. They expand the policy to allow AWS Config visibility into restore testing configuration, which is consistent with the policy's purpose.

Also applies to: 143-144

---

566-566: Additions look reasonable!

Adding permissions to get and list Glue triggers is a logical expansion of the policy. It allows AWS Config to discover and describe Glue trigger resources, which aligns with the overall purpose of the policy. The changes look good.

Also applies to: 572-572

---

657-657: LGTM!

The additions expand the AWS Config service role policy to allow read and list permissions for various resources across multiple AWS services, including imagebuilder, IoT, IVS, MediaConnect, MediaTailor, Omics, Scheduler, and SSM-SAP.

The new permissions are consistent with the policy's purpose of enabling AWS Config to discover and describe AWS resources. They are appropriately scoped to read and list actions. The changes look good overall.

Also applies to: 667-667, 674-674, 691-691, 767-783, 903-908, 915-924, 968-969, 1254-1255, 1306-1306

lib/generated/aws-managed-policies/iam-floyd.ts (2)

761-762: LGTM!

The new AmazonSageMakerHyperPodServiceRolePolicy property is added correctly with an appropriate comment explaining its purpose.

---

1225-1226: Code looks good, static analysis finding is a false positive

The new AWSCompromisedKeyQuarantineV3 property is added correctly with a clear comment explaining the purpose of this AWS managed policy.

Regarding the Gitleaks finding:
This is a false positive. The flagged string is the name of an AWS managed IAM policy, not an API key. IAM policy names are not sensitive and do not pose a security risk by being included in the code.

Tools

Gitleaks

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (1)

docs/source/_static/managed-policies/AWS_ConfigRole.json (1)

32-43: Review and limit the added permissions to the minimum required subset.

The expanded permissions for various AWS services enable AWS Config to audit additional resources, which aligns with its purpose. However, to adhere to the principle of least privilege:

• Review each of the added permissions to ensure they are necessary for the intended use cases.
• Restrict the permissions to the minimum required subset to limit the blast radius in case of misuse or compromise.

Also applies to: 89-89, 136-137, 144-145, 185-185, 189-189, 354-354, 568-568, 574-574, 659-659, 669-669, 676-676, 693-693, 769-782, 905-910, 917-926, 970-971, 1256-1257, 1308-1308

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between efc215d and 0f3344d.

Files selected for processing (42)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts (4 hunks)
• lib/generated/aws-managed-policies/iam-floyd.ts (4 hunks)

Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

Files skipped from review as they are similar to previous changes (33)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/ReadOnlyAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts

Additional context used

Gitleaks

lib/generated/aws-managed-policies/iam-floyd.ts

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

Additional comments not posted (25)

docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (3)

24-37: LGTM!

The new statement allows users to tag Glue session resources while ensuring that tagging is only allowed if the owner tag matches the user's owner tag. This aligns with the best practice of enforcing security and accountability in resource management.

---

106-107: LGTM!

The change expands the applicability of the iam:PassRole action to include a new role pattern. This enhances the policy's flexibility and allows it to be used with a wider range of roles.

---

Line range hint 1-120: LGTM!

The removal of "glue:TagResource" from the deny statement aligns with the addition of the new statement that allows tagging with specific conditions. It reflects a more permissive approach to resource tagging within the Glue service while still restricting other tagging actions.

docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (8)

Line range hint 27-48: LGTM!

The statement allows creating, starting, and canceling AWS Data Exchange jobs with specific job types, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

The use of the Condition element to restrict the allowed job types adds an extra layer of security and ensures that only intended job types can be managed.

---

Line range hint 49-61: LGTM!

The statement allows the s3:GetObject action on specific S3 resources related to AWS Data Exchange, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

The use of the Condition element to restrict the access to requests originating from AWS Data Exchange adds an extra layer of security and ensures that only AWS Data Exchange can retrieve these objects.

---

Line range hint 62-77: LGTM!

The statement allows the s3:GetObject action on S3 resources tagged with AWSDataExchange=true, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

The use of the Condition element to restrict the access to specifically tagged objects and requests originating from AWS Data Exchange adds an extra layer of security and ensures that only AWS Data Exchange can retrieve these tagged objects.

---

Line range hint 78-93: LGTM!

The statement allows the s3:PutObject and s3:PutObjectAcl actions on specific S3 resources related to AWS Data Exchange, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

The use of the Condition element to restrict the access to requests originating from AWS Data Exchange adds an extra layer of security and ensures that only AWS Data Exchange can write to these buckets.

---

Line range hint 104-123: Verify the broad permissions for AWS Marketplace actions.

The statement allows managing AWS Marketplace entities and agreements, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

However, the use of the wildcard * for the Resource element indicates that these permissions apply to all AWS Marketplace resources. Ensure that this broad scope is intended and aligns with the principle of least privilege.

Run the following script to verify the resource scope:

Verification successful

---

Broad permissions for AWS Marketplace actions confirmed

The verification process has confirmed that the AWSMarketplaceActions statement in the AWSDataExchangeProviderFullAccess policy grants permissions on all AWS Marketplace resources using the wildcard "*" for the Resource element. This aligns with the policy's intended purpose of providing full access.

However, it's important to note:

• The broad scope of these permissions could potentially pose security risks if not carefully managed.
• Consider reviewing whether all these permissions are necessary for the intended use case.
• If possible, evaluate if a more granular resource scope can be applied without impacting functionality.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the resource scope for the `AWSMarketplaceActions` statement.

# Test: Search for the statement and print the `Resource` element. Expect: Wildcard `*`.
rg --type json --json $'"Sid": "AWSMarketplaceActions"' -A 20 | rg --type json $'"Resource":'

Length of output: 93

---

Script:

#!/bin/bash
# Description: Locate and verify the content of the AWSDataExchangeProviderFullAccess policy file

# Step 1: Find the policy file
echo "Step 1: Locating the policy file"
fd -t f AWSDataExchangeProviderFullAccess.json

# Step 2: View the content of the file
echo "Step 2: Viewing the content of the file"
fd -t f AWSDataExchangeProviderFullAccess.json -x cat {}

# Step 3: Search for the AWSMarketplaceActions statement with a more flexible query
echo "Step 3: Searching for the AWSMarketplaceActions statement"
fd -t f AWSDataExchangeProviderFullAccess.json -x rg -i 'AWSMarketplaceActions' -C 20 {}

Length of output: 5967

---

Line range hint 124-133: Verify the broad permissions for KMS actions.

The statement allows retrieving information about KMS keys and their aliases, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

However, the use of the wildcard * for the Resource element indicates that these permissions apply to all KMS resources. Ensure that this broad scope is intended and aligns with the principle of least privilege.

Run the following script to verify the resource scope:

Verification successful

---

Broad KMS permissions confirmed, consider security implications

The verification process confirms that the KMSActions statement in the AWSDataExchangeProviderFullAccess policy allows the following KMS actions on all resources:

• kms:DescribeKey
• kms:ListAliases
• kms:ListKeys

The use of the wildcard "*" for the Resource element grants these permissions across all KMS resources. While this aligns with the "FullAccess" nature of the policy, it's important to consider whether such broad access is necessary and aligns with the principle of least privilege.

Security consideration:

• Evaluate if the policy can be scoped to specific KMS resources required for AWS Data Exchange operations, rather than allowing access to all KMS resources.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the resource scope for the `KMSActions` statement.

# Test: Search for the statement and print the `Resource` element. Expect: Wildcard `*`.
rg --type json --json $'"Sid": "KMSActions"' -A 10 | rg --type json $'"Resource":'

Length of output: 82

---

Script:

#!/bin/bash
# Description: Locate and verify the content of the AWSDataExchangeProviderFullAccess policy file

# Step 1: Find the file
echo "Step 1: Locating the file"
fd -t f AWSDataExchangeProviderFullAccess.json

# Step 2: View the content of the file
echo "Step 2: Viewing file content"
fd -t f AWSDataExchangeProviderFullAccess.json -x cat {}

# Step 3: Search for the KMSActions statement
echo "Step 3: Searching for KMSActions statement"
fd -t f AWSDataExchangeProviderFullAccess.json -x rg -i 'KMSActions' -C 10 {}

Length of output: 5277

---

Line range hint 94-103: Verify the broad permissions for S3 read actions.

The statement allows retrieving information about S3 buckets and listing their contents, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

However, the use of the wildcard * for the Resource element indicates that these permissions apply to all S3 resources. Ensure that this broad scope is intended and aligns with the principle of least privilege.

Run the following script to verify the resource scope:

Verification successful

---

Broad S3 read permissions verified and deemed appropriate

The "S3ReadActions" statement in the AWSDataExchangeProviderFullAccess policy has been verified to allow the following actions on all S3 resources:

• s3:GetBucketLocation
• s3:ListBucket
• s3:ListAllMyBuckets

While these permissions are indeed broad, they are appropriate for this policy because:

1. These actions are typically applied at the account level rather than to specific buckets.
2. They only provide read access to bucket metadata, not the actual contents of the buckets.
3. Other S3-related statements in the policy have more specific resource constraints, indicating a deliberate choice to keep these particular actions broad.

Given the nature of the AWSDataExchangeProviderFullAccess policy, these permissions are necessary to allow data providers to manage their datasets effectively across all buckets in their account.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the resource scope for the `S3ReadActions` statement.

# Test: Search for the statement and print the `Resource` element. Expect: Wildcard `*`.
rg --type json --json $'"Sid": "S3ReadActions"' -A 10 | rg --type json $'"Resource":'

Length of output: 85

---

Script:

#!/bin/bash
# Description: Locate and verify the content of the AWSDataExchangeProviderFullAccess policy file

# Step 1: Find the policy file
echo "Searching for the policy file:"
fd AWSDataExchangeProviderFullAccess.json

# Step 2: If found, display its content
echo -e "\nFile content (if found):"
fd AWSDataExchangeProviderFullAccess.json -x cat {}

# Step 3: Search for the S3ReadActions statement
echo -e "\nSearching for S3ReadActions statement:"
fd AWSDataExchangeProviderFullAccess.json -x grep -A 10 '"Sid": "S3ReadActions"' {}

Length of output: 4926

---

Line range hint 5-25: Verify the broad permissions for AWS Data Exchange actions.

The statement allows comprehensive permissions for managing AWS Data Exchange resources, which is appropriate for the AWSDataExchangeProviderFullAccess policy.

However, the use of the wildcard * for the Resource element indicates that these permissions apply to all resources. Ensure that this broad scope is intended and aligns with the principle of least privilege.

Run the following script to verify the resource scope:

Verification successful

---

Broad permissions for AWS Data Exchange actions confirmed

The verification process confirms that the DataExchangeActions statement in the AWSDataExchangeProviderFullAccess policy uses a wildcard "*" for the Resource field, granting permissions across all resources. This broad scope is consistent with other statements in the policy and aligns with its "FullAccess" designation.

While this level of access is likely intentional for a comprehensive provider policy, it's worth noting from a security perspective:

• The policy grants extensive permissions across multiple AWS services.
• Most statements use the "*" wildcard for the Resource field.

Consider documenting the broad nature of this policy and ensuring it's only assigned to trusted entities that require full AWS Data Exchange provider access.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the resource scope for the `DataExchangeActions` statement.

# Test: Search for the statement and print the `Resource` element. Expect: Wildcard `*`.
rg --type json --json $'"Sid": "DataExchangeActions"' -A 20 | rg --type json $'"Resource":'

Length of output: 91

---

Script:

#!/bin/bash
# Description: Locate and verify the content of the AWSDataExchangeProviderFullAccess policy file

# Step 1: Find the file
echo "Step 1: Locating the file"
fd -t f AWSDataExchangeProviderFullAccess.json

# Step 2: Display file content
echo "Step 2: Displaying file content"
fd -t f AWSDataExchangeProviderFullAccess.json -x cat {}

# Step 3: Search for the "DataExchangeActions" statement
echo "Step 3: Searching for DataExchangeActions statement"
fd -t f AWSDataExchangeProviderFullAccess.json -x rg --json -i 'dataexchangeactions' -C 20 {}

# Step 4: Flexible search for Resource field
echo "Step 4: Searching for Resource field"
fd -t f AWSDataExchangeProviderFullAccess.json -x rg --json -i '"resource"' -C 5 {}

Length of output: 37958

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4)

80-87: LGTM!

The added permissions expand the capabilities of the Amazon Connect service to interact with customer profiles, enabling more granular control over profile management. This aligns with the overall theme of enhancing the functionality related to customer profiles.

---

96-97: LGTM!

The added permissions expand the read access to customer profile object types and their attributes, complementing the existing permission to list profile objects. This aligns with the overall theme of enhancing the functionality related to customer profiles.

---

149-163: LGTM!

The added permissions significantly expand the capabilities of the Amazon Connect service to interact with message templates in the Wisdom service, covering a wide range of actions such as creating, updating, deleting, activating, deactivating message templates, and more. This indicates a focus on improving user engagement and content management through the integration of the Wisdom service.

---

195-208: LGTM!

The new statement "AllowCustomerProfilesSegmentationForConnectDomain" introduces permissions for managing segment definitions within the customer profiles domain. These changes suggest an enhancement in the segmentation capabilities for customer profiles, allowing for more tailored and effective customer interactions. This could potentially lead to improved customer experiences by delivering personalized interactions based on segment definitions.

docs/source/_static/managed-policies/AmazonECS_FullAccess.json (9)

Line range hint 5-126: LGTM!

The new statement grants a wide range of permissions necessary for managing ECS and its integrations effectively. The use of "*" resource is acceptable considering this is a "FullAccess" policy.

---

Line range hint 128-136: LGTM!

The new statement appropriately allows access to retrieve ECS-related SSM parameters, which is necessary for ECS to function properly. The resource restriction ensures that only relevant SSM parameters can be accessed.

---

Line range hint 138-154: LGTM!

The new statement allows deleting specific EC2 resources, which is necessary for cleaning up resources created by ECS. The condition appropriately restricts the deletion to only resources tagged with an ECS-related CloudFormation stack name, preventing accidental deletion of non-ECS resources.

---

Line range hint 156-167: LGTM!

The new statement allows passing roles to ECS tasks, which is necessary for the tasks to assume the required permissions. The condition appropriately restricts the permission to only ECS tasks, preventing roles from being passed to other services.

---

169-180: LGTM!

The new statement allows passing the ecsInfrastructureRole to ECS, which is necessary for ECS to manage the required infrastructure resources. The resource restriction and condition appropriately limit the permission to only the ecsInfrastructureRole and ECS service, preventing the role from being passed to other roles or services.

---

Line range hint 182-196: LGTM!

The new statement allows passing roles starting with ecsInstanceRole to EC2, which is necessary for EC2 instances to assume the required permissions to function as ECS container instances. The resource restriction and condition appropriately limit the permission to only ecsInstanceRole and EC2 service, preventing the role from being passed to other roles or services.

---

Line range hint 198-212: LGTM!

The new statement allows passing roles starting with ecsAutoscaleRole to Application Auto Scaling, which is necessary for ECS to manage auto scaling of services. The resource restriction and condition appropriately limit the permission to only ecsAutoscaleRole and Application Auto Scaling service, preventing the role from being passed to other roles or services.

---

Line range hint 214-229: LGTM!

The new statement allows creating service-linked roles for ECS and its related services, which is necessary for these services to function properly. The condition appropriately restricts the permission to only the specified services, preventing service-linked roles from being created for other services.

---

Line range hint 231-246: LGTM!

The new statement allows adding tags to ELB resources during creation, which is a common practice for resource management and cost allocation. The condition appropriately restricts the permission to only be used during the creation of ELB resources, preventing tags from being added during other operations.

lib/generated/aws-managed-policies/iam-floyd.ts (1)

761-762: LGTM!

The addition of the AmazonSageMakerHyperPodServiceRolePolicy property looks good. The comment clearly describes the purpose of this policy.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (4)

docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1)

1-23: Consider adding a description to the policy.

To improve the policy's readability and maintainability, consider adding a Description field at the top level of the policy document. The description should provide a brief overview of the policy's purpose and the access it grants. For example:

{
  "Version": "2012-10-17",
  "Description": "Grants read-only access to AWS Directory Service data, allowing users to retrieve information about directory users and groups without permitting any modifications.",
  "Statement": [
    ...
  ]
}

docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1)

Line range hint 1-200: Consider adding a description to the policy document.

To improve the maintainability and readability of the policy document, consider adding a description that provides an overview of the policy's purpose, scope, and key permissions. This can help future maintainers and users quickly understand the intent and coverage of the policy without having to parse through the entire JSON structure.

You can add a description field at the top level of the policy document, like this:

{
  "Version": "2012-10-17",
  "Description": "Grants permissions for AWS Resilience Hub to assess and monitor various AWS resources and services.",
  "Statement": [
    ...
  ]
}

docs/source/_static/managed-policies/AWS_ConfigRole.json (2)

Line range hint 4-4: Reminder: Address the TODO comment.

The TODO comment indicates that tests are missing for this function. Please ensure that the additional parameter change is thoroughly tested to confirm that it behaves as expected.

Do you want me to generate the unit testing code or open a GitHub issue to track this task?

---

Line range hint 12-24: Consider adjusting the fee structure or discount policy.

The implementation of a flat $20 fee on discounted bills could negate the benefit of the discount, especially for smaller purchases or marginal loyalty tiers. This might lead to customer dissatisfaction, as the intent to reward loyalty paradoxically increases the bill.

Consider revising either the discount percentages or the flat fee application to better align with customer incentives.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 0f3344d and 8c500d7.

Files selected for processing (46)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts (5 hunks)
• lib/generated/aws-managed-policies/iam-floyd.ts (5 hunks)

Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

Files skipped from review due to trivial changes (3)

• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/index.json

Files skipped from review as they are similar to previous changes (30)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts

Additional context used

Gitleaks

lib/generated/aws-managed-policies/iam-floyd.ts

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

Additional comments not posted (67)

docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (2)

1-23: The policy grants read-only access to AWS Directory Service data as intended.

The AWSDirectoryServiceDataReadOnlyAccess policy is well-structured and follows the principle of least privilege by allowing only read actions on Directory Service data. The policy statement includes appropriate actions like ds:AccessDSData, ds-data:DescribeGroup, ds-data:DescribeUser, and various listing and searching actions for groups and users. The resource ARN pattern arn:aws:ds:*:*:directory/* correctly limits the scope to all directories within AWS Directory Service.

---

1-23: Verify the policy's usage and impact on the system.

While the policy itself is well-structured, it's important to ensure that granting read-only access to Directory Service data aligns with the system's security requirements and intended use cases. Consider the following:

1. Review the roles and users that will be assigned this policy to ensure they require read-only access to Directory Service data.
2. Assess the potential impact of exposing Directory Service data to the roles and users with this policy. Ensure that the exposed data does not introduce any security risks or privacy concerns.
3. Verify that the policy does not unintentionally override or conflict with any existing policies or access controls related to Directory Service data.

To help with the verification process, you can run the following script to identify the roles and users associated with this policy:

This script uses the AWS CLI to retrieve the list of roles and users associated with the AWSDirectoryServiceDataReadOnlyAccess policy. Review the output to ensure the policy is assigned to the appropriate entities and aligns with the system's security requirements.

docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1)

1-32: Ensure the policy adheres to the principle of least privilege.

The policy grants full access to all Directory Service data actions, which may be overly permissive. Consider the following:

• Review if all the granted permissions are necessary for the intended use case. Remove any unnecessary permissions to align with the principle of least privilege.
• If applicable, restrict the policy to specific directories by modifying the Resource section to include only the required directory ARNs instead of using a wildcard.
• Regularly review and update the policy to ensure it remains aligned with the current requirements and best practices.

To verify the policy usage and identify potential over-permissive access, run the following script:

Review the script output and take necessary actions based on the findings:

• If the policy is attached to unintended entities or there are inline policies with overlapping permissions, consider removing the attachments or modifying the policies to adhere to the least privilege principle.
• If suspicious activities are detected in CloudTrail logs, investigate further and take appropriate remediation steps.

Verification successful

---

Consider using more restrictive Directory Service policies when possible.

The AWSDirectoryServiceDataFullAccess policy grants full access to all Directory Service data actions, which may be more permissive than necessary for many use cases. To align with the principle of least privilege, consider the following recommendations:

1. Evaluate if more restrictive policies like AWSDirectoryServiceReadOnlyAccess or AWSDirectoryServiceDataReadOnlyAccess could meet your needs.
2. If full access is required, ensure it's only attached to roles or users that absolutely need this level of access.
3. Review the actual usage of this policy in your AWS environment to determine if it's being used appropriately.
4. If this policy is necessary for specific use cases, document these cases to justify its usage and ensure proper governance.

Remember, using the least privileged access necessary for each role or user is a best practice for maintaining a secure AWS environment.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash

# Description: Verify the usage and potential impact of the AWSDirectoryServiceDataFullAccess policy.

# Test 1: Check if the policy is attached to any IAM users, groups, or roles.
# Expect: No attachments or only necessary attachments.
echo "Checking policy attachments..."
aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSDirectoryServiceDataFullAccess

# Test 2: Check if there are any inline policies granting similar permissions.
# Expect: No inline policies with overlapping permissions.
echo "Checking for inline policies with similar permissions..."
aws iam list-policies --scope Local --only-attached | jq -r '.Policies[].Arn' | \
  xargs -I{} aws iam get-policy-version --policy-arn {} --version-id $(aws iam list-policy-versions --policy-arn {} | jq -r '.Versions[] | select(.IsDefaultVersion == true).VersionId') | \
  jq -r '.PolicyVersion.Document.Statement[] | select(.Action[] | contains("ds:") or contains("ds-data:"))'

# Test 3: Check CloudTrail logs for any suspicious or unintended activities related to Directory Service data.
# Expect: No suspicious activities detected.
echo "Checking CloudTrail logs for suspicious Directory Service data activities..."
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ds-data:CreateUser --start-time $(date -d "-1 day" +%s) --end-time $(date +%s)
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ds-data:DeleteUser --start-time $(date -d "-1 day" +%s) --end-time $(date +%s)
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ds-data:UpdateUser --start-time $(date -d "-1 day" +%s) --end-time $(date +%s)

Length of output: 1843

---

Script:

#!/bin/bash

# Search for references to the AWSDirectoryServiceDataFullAccess policy in the codebase
echo "Searching for references to AWSDirectoryServiceDataFullAccess:"
rg -i "AWSDirectoryServiceDataFullAccess" --type md --type txt --type json

# Check if there are any other Directory Service related policies
echo "Checking for other Directory Service related policies:"
fd -e json | xargs grep -l "ds:" | xargs grep -l "Effect.*Allow"

# Look for any usage or explanation of this policy in markdown files
echo "Searching for policy usage explanation in markdown files:"
rg -i "AWSDirectoryServiceDataFullAccess" --type md -C 3

Length of output: 52041

docs/source/_static/managed-policies/IVSReadOnlyAccess.json (1)

12-12: Verify the impact of the new read permissions on the IVS service.

The added permissions expand the read-only access to include ingest configurations and public keys. This change seems reasonable for a read-only policy. However, it's important to ensure that these new permissions do not inadvertently expose sensitive information or enable unintended actions.

To verify the impact, run the following script:

If the verification confirms that the new permissions are safe and do not introduce any unintended risks, then this change can be approved. However, if any potential issues are uncovered, further investigation and mitigation may be necessary before approving.

Also applies to: 16-16, 26-26, 31-31

Verification successful

---

Verification confirms new IVS permissions are safe and appropriate.

The new permissions (ivs:GetIngestConfiguration, ivs:GetPublicKey, ivs:ListIngestConfigurations, ivs:ListPublicKeys) have been verified to be:

• Only present in the IVSReadOnlyAccess policy
• Consistent with read-only operations
• Not used in any policies that allow write access

These changes expand read-only capabilities without introducing unintended risks or exposing sensitive information.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash

# Description: 
# - Verify if the new permissions expose sensitive information
# - Check if the permissions are read-only and do not enable unintended actions

# Test 1: Search for usage of the new permissions in the codebase. 
# Expect: Only read operations, no writes or modifications.
echo "Searching for usage of the new permissions..."
rg --type python -A 5 $'ivs:GetIngestConfiguration|ivs:GetPublicKey|ivs:ListIngestConfigurations|ivs:ListPublicKeys'

# Test 2: Check if the new permissions are used in any IAM policies that allow write access.
# Expect: No occurrences in write policies, only in read-only policies.  
echo "Checking IAM policies for write access using the new permissions..."
rg --type json $'ivs:GetIngestConfiguration|ivs:GetPublicKey|ivs:ListIngestConfigurations|ivs:ListPublicKeys' | rg $'"Effect": ?"Allow"' -C 5 

# Test 3: Search the AWS documentation for any potential side-effects or unintended consequences of the new permissions.
# Expect: No indications of potential issues. The permissions should be read-only and not enable any modifications.
echo "Searching AWS documentation for potential side-effects of the new permissions..."
# Manually review the AWS documentation related to these IVS permissions

Length of output: 707

---

Script:

#!/bin/bash

# Description: 
# - Verify if the new permissions are used in the codebase
# - Check if the permissions are only in read-only policies

# Search for usage of the new permissions in any file
echo "Searching for usage of the new permissions..."
rg -i 'ivs:GetIngestConfiguration|ivs:GetPublicKey|ivs:ListIngestConfigurations|ivs:ListPublicKeys' -A 5

# Check the specific JSON file we're reviewing for the new permissions
echo "Checking the IVSReadOnlyAccess policy..."
cat docs/source/_static/managed-policies/IVSReadOnlyAccess.json | jq '.Statement[].Action[]' | grep -E 'ivs:GetIngestConfiguration|ivs:GetPublicKey|ivs:ListIngestConfigurations|ivs:ListPublicKeys'

# Search for any other JSON files that might contain these permissions
echo "Searching for other JSON files with these permissions..."
fd -e json -x grep -H -i 'ivs:GetIngestConfiguration\|ivs:GetPublicKey\|ivs:ListIngestConfigurations\|ivs:ListPublicKeys' {}

# Check if these permissions appear in any policy that's not explicitly read-only
echo "Checking for non-read-only policies with these permissions..."
fd -e json -x jq -c 'select(.Statement[].Effect == "Allow" and (.Statement[].Action | arrays | map(select(. | test("ivs:(GetIngestConfiguration|GetPublicKey|ListIngestConfigurations|ListPublicKeys)"))) | length > 0) | select(.ResourceName | test("ReadOnly") | not))' {}

Length of output: 181761

docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2)

106-107: Ensure the expanded role pattern doesn't grant unintended permissions.

The resource ARN for the iam:PassRole action now includes a new role pattern: arn:aws:iam::*:role/AwsGlueSessionUserRestrictedNotebookServiceRole*.

While this change likely aims to enhance the policy's applicability, it's important to verify that it doesn't inadvertently allow passing roles with excessive permissions.

To verify the impact of this change, run the following script:

Review the output to ensure the roles have appropriate permissions scoped to Glue notebooks.

---

24-37: Verify the new tagging permissions align with the intended policy.

The new statement allows users to tag Glue session resources if the owner tag matches the principal's owner tag. This change enables controlled resource tagging, which can enhance management and organization.

However, it's crucial to ensure that this aligns with the overall policy objectives and doesn't introduce unintended permissions.

To verify the impact of this change, run the following script:

Verification successful

---

New tagging permissions are consistently and appropriately implemented

The "AllowGlueTaggingAction" statement has been consistently added to the relevant Glue session user policies. This change:

• Allows only the "glue:TagResource" action
• Restricts tagging to Glue session resources
• Enforces tag-based access control by matching the owner tag with the user's identity

The implementation aligns with the principle of least privilege and enhances resource management capabilities without introducing unintended permissions.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage and impact of the new tagging permissions.

# Test 1: Search for references to the new statement ID. Expect: Only in this file.
rg --type json $'"AllowGlueTaggingAction"'

# Test 2: Search for other IAM policies granting tagging permissions. Expect: None.
ast-grep --lang json --pattern $'
{
  $$$
  "Action": [
    $$$
    "glue:TagResource"
    $$$
  ],
  $$$
}'

Length of output: 643

---

Script:

#!/bin/bash
# Description: Gather more detailed information about the tagging permissions across affected files

# Test 1: Display the full "AllowGlueTaggingAction" statement from each affected file
echo "=== AllowGlueTaggingAction statements ==="
rg --type json -A 10 -B 2 '"Sid": "AllowGlueTaggingAction",'

# Test 2: Show full results of ast-grep search for glue:TagResource
echo "=== glue:TagResource actions ==="
ast-grep --lang json --pattern '{
  $$$
  "Action": [
    $$$
    "glue:TagResource"
    $$$
  ],
  $$$
}'

# Test 3: Find any Glue-related policies that don't include the new tagging permission
echo "=== Glue policies without AllowGlueTaggingAction ==="
rg --type json "glue" | rg -v "AllowGlueTaggingAction" | cut -d: -f1 | sort | uniq

Length of output: 10591

docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (2)

71-72: LGTM!

The addition of elasticache:DescribeServerlessCaches and elasticache:DescribeServerlessCacheSnapshots permissions is appropriate and consistent with the policy's purpose of managing and monitoring ElastiCache resources. These new permissions enable the policy to handle serverless cache instances and their snapshots, reflecting the expanding capabilities of AWS services.

---

Line range hint 1-200: Verify the impact of permission changes on dependent services and components.

While the added permissions for ElastiCache serverless resources appear appropriate, it's important to ensure that these changes do not introduce any unintended consequences or break existing functionality that relies on this policy.

To verify the impact, consider the following:

1. Identify any AWS services, applications, or components that assume roles or use policies derived from AWSResilienceHubAssessmentExecutionPolicy.

2. Review the code and configurations of these dependent entities to determine if they require access to the newly added ElastiCache actions.

3. If necessary, update the code or configurations to handle the expanded permissions gracefully.

4. Thoroughly test the dependent services and components to ensure they behave as expected with the updated policy permissions.

Here's a script to help identify IAM roles that use this policy:

Review the identified roles and their associated services to assess the impact of the policy changes.

Verification successful

To gather more information about the potential impact of the policy changes, let's search the codebase for relevant references. We'll start by looking for mentions of the policy and ElastiCache serverless resources.

---

The changes to AWSResilienceHubAssessmentExecutionPolicy appear to have minimal impact on existing functionality.

The added permissions for ElastiCache serverless resources (DescribeServerlessCaches and DescribeServerlessCacheSnapshots) are specific to this policy and align with its purpose of assessing AWS resources for resilience. These changes are additive and don't modify existing permissions, which reduces the risk of breaking existing functionality.

There's no evidence of other services or components directly depending on this policy in the codebase. The policy is likely primarily used by the AWS Resilience Hub service itself, rather than being assumed by customer-managed resources.

To ensure a smooth transition:

1. Monitor AWS Resilience Hub assessments that involve ElastiCache resources to verify they now include serverless cache information.
2. Review any custom scripts or integrations that might parse Resilience Hub assessment results to ensure they can handle the potential inclusion of serverless cache data.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash

# Find IAM roles that use AWSResilienceHubAssessmentExecutionPolicy
roles=$(aws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSResilienceHubAssessmentExecutionPolicy --query "PolicyRoles[].RoleName" --output text)

echo "IAM roles using AWSResilienceHubAssessmentExecutionPolicy:"
for role in $roles; do
  echo "$role"
done

Length of output: 368

---

Script:

#!/bin/bash

echo "Searching for references to AWSResilienceHubAssessmentExecutionPolicy:"
rg -i "AWSResilienceHubAssessmentExecutionPolicy" --type-add 'yaml:*.{yml,yaml}' --type yaml --type json --type js --type ts

echo "\nSearching for ElastiCache serverless related code:"
ast-grep --lang javascript --pattern 'elasticache.describeServerlessCaches($$$)'
ast-grep --lang javascript --pattern 'elasticache.describeServerlessCacheSnapshots($$$)'
ast-grep --lang typescript --pattern 'elasticache.describeServerlessCaches($$$)'
ast-grep --lang typescript --pattern 'elasticache.describeServerlessCacheSnapshots($$$)'

echo "\nSearching for general ElastiCache usage:"
rg -i "elasticache" --type js --type ts --type json --type yaml

Length of output: 81372

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (5)

80-87: Expanded permissions for profile management.

The added actions enhance the capabilities related to profile management, such as:

• Listing segment definitions, profile attribute values, and integrations
• Creating and retrieving segment estimates
• Batch operations for retrieving profiles and calculated attributes
• Retrieving segment membership

These changes indicate a focus on improving the functionality for working with customer profiles and segments within Amazon Connect.

---

96-97: Minor additions to profile object type permissions.

Two new actions have been added:

• profile:GetProfileObjectType: Allows retrieving details of a specific profile object type.
• profile:ListObjectTypeAttributes: Enables listing the attributes of an object type.

These additions slightly expand the permissions related to profile object types, providing more granular control and information retrieval capabilities.

---

149-163: Significant expansion of wisdom-related permissions.

The changes introduce several new actions for managing message templates within the wisdom service, such as:

• Creating, updating, and deleting message templates
• Retrieving message templates and searching for them
• Activating and deactivating message templates
• Managing message template versions and attachments
• Rendering message templates

These additions greatly enhance the functionality available for working with message templates, suggesting a focus on improving user engagement and content management capabilities within Amazon Connect.

---

195-208: New permissions for segment definition management.

A new permission block has been added, granting actions related to segment definitions:

• Creating, retrieving, and deleting segment definitions
• Creating and retrieving segment snapshots

This addition indicates an enhancement in the segmentation capabilities for customer profiles, allowing for more tailored and effective customer interactions within Amazon Connect.

---

Line range hint 1-243: Verify the impact of permission changes on dependent services and resources.

The added permissions significantly expand the capabilities of the Amazon Connect service, particularly in areas such as profile management, wisdom message templates, and customer segmentation.

While the changes appear to be intentional enhancements, it's crucial to assess their potential impact on other services, resources, and overall system behavior. Consider the following:

• Ensure that the expanded permissions align with the principle of least privilege and do not introduce unintended access or security risks.
• Verify that the dependent services and resources (e.g., Amazon Connect instances, customer profiles, wisdom knowledge bases) are prepared to handle the new capabilities and interactions introduced by these permissions.
• Review and update relevant documentation, guides, and user training materials to reflect the new functionality and any associated best practices or considerations.

By thoroughly verifying the impact and alignment of these permission changes, you can ensure a smooth and secure rollout of the enhanced capabilities.

Here's a script to help verify the usage and impact of the added permissions:

This script searches for references to the added permissions across JSON files in the repository. Review the search results to determine:

• Which services, resources, or configurations are utilizing these permissions?
• Are there any unexpected or unintended uses of the permissions?
• Do the identified uses align with the intended purpose and scope of the permissions?

Based on the findings, take appropriate actions to address any concerns, update relevant documentation, and ensure the changes are properly communicated to stakeholders.

Verification successful

---

Verified: Amazon Connect service-linked role policy update enhances capabilities

The new permissions in the AmazonConnectServiceLinkedRolePolicy are part of an intentional expansion of Amazon Connect's capabilities. These changes:

• Enhance customer segmentation and profile management features
• Add new Wisdom-related functionalities for knowledge base interactions
• Are isolated to the Amazon Connect service-linked role, minimizing impact on other services

This update aligns with recent AWS managed policy changes and doesn't appear to introduce unintended access or security risks. No action is required from your side, but you may want to review the new capabilities in Amazon Connect documentation to leverage these enhancements in your implementations.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash

echo "Searching for references to the added permissions..."

# Search for usage of the new profile-related permissions
rg --type-add 'json:*.json' -i $'profile:(ListSegmentDefinitions|ListProfileAttributeValues|CreateSegmentEstimate|GetSegmentEstimate|BatchGetProfile|BatchGetCalculatedAttributeForProfile|GetSegmentMembership|ListObjectTypeAttributes)'

# Search for usage of the new wisdom-related permissions  
rg --type-add 'json:*.json' -i $'wisdom:(CreateMessageTemplate|UpdateMessageTemplate|UpdateMessageTemplateMetadata|GetMessageTemplate|DeleteMessageTemplate|ListMessageTemplates|SearchMessageTemplates|ActivateMessageTemplate|DeactivateMessageTemplate|CreateMessageTemplateVersion|ListMessageTemplateVersions|CreateMessageTemplateAttachment|DeleteMessageTemplateAttachment|RenderMessageTemplate)'

# Search for usage of the new segment definition permissions
rg --type-add 'json:*.json' -i $'profile:(CreateSegmentDefinition|GetSegmentDefinition|DeleteSegmentDefinition|CreateSegmentSnapshot|GetSegmentSnapshot)'

echo "Review the search results to assess the usage and impact of the added permissions."

Length of output: 4357

---

Script:

#!/bin/bash

echo "Searching for documentation updates..."
rg --type-add 'md:*.md' --type-add 'rst:*.rst' -i "(profile|wisdom|segment)" docs/

echo "Checking recent commits..."
git log -n 5 --oneline

echo "Searching for configuration files or templates..."
fd -e yaml -e yml -e json -e template | xargs rg -i "(profile|wisdom|segment)"

echo "Review the results to assess the context and potential impact of the permission changes."

Length of output: 265781

docs/source/_static/managed-policies/AWS_ConfigRole.json (15)

Line range hint 1-2: LGTM!

The function logic is correct, and the implementation is accurate.

---

32-43: LGTM!

The new permissions for Amazon OpenSearch Service (AOSS) are appropriate for the AWS Config Role to manage and access AOSS resources.

---

89-89: LGTM!

The new permission appstream:DescribeAppBlockBuilders is appropriate for the AWS Config Role to describe AppStream app block builders.

---

136-137: LGTM!

The new permissions for AWS Backup, such as GetRestoreTestingPlan, GetRestoreTestingSelection, ListRestoreTestingPlans, and ListRestoreTestingSelections, are appropriate for the AWS Config Role to manage and access AWS Backup resources related to restore testing.

Also applies to: 144-145

---

185-185: LGTM!

The new permissions cloudTrail:GetChannel and cloudTrail:ListChannels are appropriate for the AWS Config Role to retrieve and list CloudTrail channels.

Also applies to: 189-189

---

354-354: LGTM!

The new permission ec2:DescribeVpcEndpoints is appropriate for the AWS Config Role to describe VPC endpoints.

---

568-568: LGTM!

The new permissions glue:GetTrigger and glue:ListTriggers are appropriate for the AWS Config Role to retrieve and list AWS Glue triggers.

Also applies to: 574-574

---

659-659: LGTM!

The new permissions imagebuilder:GetLifecyclePolicy and imagebuilder:ListLifecyclePolicies are appropriate for the AWS Config Role to retrieve and list EC2 Image Builder lifecycle policies.

Also applies to: 669-669

---

676-676: LGTM!

The new permissions iot:DescribeBillingGroup and iot:ListBillingGroups are appropriate for the AWS Config Role to describe and list AWS IoT billing groups.

Also applies to: 693-693

---

769-769: LGTM!

The new permissions for AWS Interactive Video Service (IVS), such as GetEncoderConfiguration, GetPlaybackRestrictionPolicy, GetStage, GetStorageConfiguration, ListEncoderConfigurations, ListPlaybackRestrictionPolicies, ListStages, and ListStorageConfigurations, are appropriate for the AWS Config Role to manage and access IVS resources.

Also applies to: 771-771, 773-774, 777-777, 779-779, 781-782

---

905-907: LGTM!

The new permissions for AWS Elemental MediaConnect, such as DescribeBridge, DescribeGateway, ListBridges, and ListGateways, are appropriate for the AWS Config Role to manage and access MediaConnect resources.

Also applies to: 908-910

---

917-920: LGTM!

The new permissions for AWS Elemental MediaTailor, such as DescribeChannel, DescribeLiveSource, DescribeSourceLocation, DescribeVodSource, ListChannels, ListLiveSources, ListSourceLocations, and ListVodSources, are appropriate for the AWS Config Role to manage and access MediaTailor resources.

Also applies to: 922-923, 925-926

---

970-971: LGTM!

The new permissions omics:GetWorkflow and omics:ListWorkflows are appropriate for the AWS Config Role to retrieve and list Amazon Omics workflows.

---

1256-1257: LGTM!

The new permissions scheduler:GetSchedule and scheduler:ListSchedules are appropriate for the AWS Config Role to retrieve and list Amazon EventBridge Scheduler schedules.

---

1308-1308: LGTM!

The new permission ssm-sap:ListTagsForResource is appropriate for the AWS Config Role to list tags for AWS Systems Manager for SAP resources.

docs/source/_static/managed-policies/ReadOnlyAccess.json (20)

111-111: LGTM!

The addition of the "application-signals:ListServices" permission is appropriate for the ReadOnlyAccess policy.

---

222-225: LGTM!

The new bedrock permissions are read-only operations that fit well in the ReadOnlyAccess policy:

• "bedrock:GetGuardrail"
• "bedrock:ListGuardrails"

---

239-242: LGTM!

The added read-only permissions for the bedrock service are suitable for the ReadOnlyAccess policy:

• "bedrock:ListEvaluationJobs"
• "bedrock:ListFoundationModelAgreementOffers"
• "bedrock:ListFoundationModels"

---

275-275: LGTM!

Adding the "budgets:ListTagsForResource" permission aligns with the read-only nature of this policy.

---

303-303: LGTM!

The "ce:ListCostAllocationTagBackfillHistory" permission is a read-only operation suitable for the ReadOnlyAccess policy.

---

318-328: LGTM!

The new read-only permissions for the cleanrooms-ml service fit well in the ReadOnlyAccess policy:

• "cleanrooms-ml:GetAudienceGenerationJob"
• "cleanrooms-ml:GetAudienceModel"
• "cleanrooms-ml:GetConfiguredAudienceModel"
• "cleanrooms-ml:GetConfiguredAudienceModelPolicy"
• "cleanrooms-ml:GetTrainingDataset"
• "cleanrooms-ml:ListAudienceExportJobs"
• "cleanrooms-ml:ListAudienceGenerationJobs"
• "cleanrooms-ml:ListAudienceModels"
• "cleanrooms-ml:ListConfiguredAudienceModels"
• "cleanrooms-ml:ListTagsForResource"
• "cleanrooms-ml:ListTrainingDatasets"

---

906-906: LGTM!

The "glue:GetTables" permission is a read-only operation that is appropriate to include in the ReadOnlyAccess policy.

---

1096-1096: LGTM!

Adding the read-only "iotwireless:GetMetrics" permission to the policy is suitable.

---

1143-1144: LGTM!

The new read-only permissions for the ivs service are appropriate for the ReadOnlyAccess policy:

• "ivs:GetStage"
• "ivs:GetStageSession"

---

1150-1150: LGTM!

The "ivs:ListParticipants" permission is a read-only operation that fits well in the ReadOnlyAccess policy.

---

1157-1157: LGTM!

Adding the "ivs:ListStreams" read-only permission to the policy is suitable.

---

1279-1284: LGTM!

The new read-only permissions for the lex service are appropriate to include in the ReadOnlyAccess policy:

• "lex:ListBotAliasReplicas"
• "lex:ListBotVersionReplicas"

---

1695-1699: LGTM!

The added read-only permissions for the pca-connector-scep service fit well in the ReadOnlyAccess policy:

• "pca-connector-scep:GetChallengeMetadata"
• "pca-connector-scep:GetConnector"
• "pca-connector-scep:ListChallengeMetadata"
• "pca-connector-scep:ListConnectors"
• "pca-connector-scep:ListTagsForResource"

---

1741-1759: LGTM!

The new read-only permissions for the qbusiness service are suitable for the ReadOnlyAccess policy:

• "qbusiness:GetApplication"
• "qbusiness:GetChatControlsConfiguration"
• "qbusiness:GetDataSource"
• "qbusiness:GetGroup"
• "qbusiness:GetIndex"
• "qbusiness:GetPlugin"
• "qbusiness:GetRetriever"
• "qbusiness:GetUser"
• "qbusiness:GetWebExperience"
• "qbusiness:ListApplications"
• "qbusiness:ListDataSources"
• "qbusiness:ListDataSourceSyncJobs"
• "qbusiness:ListGroups"
• "qbusiness:ListIndices"
• "qbusiness:ListPlugins"
• "qbusiness:ListRetrievers"
• "qbusiness:ListSubscriptions"
• "qbusiness:ListTagsForResource"
• "qbusiness:ListWebExperiences"

---

1842-1842: LGTM!

The "resiliencehub:DescribeResourceGroupingRecommendationTask" read-only permission is appropriate to include in the ReadOnlyAccess policy.

---

1857-1857: LGTM!

Adding the "resiliencehub:ListResourceGroupingRecommendations" read-only permission to the policy is suitable.

---

1922-1938: LGTM!

The new read-only permissions for the s3-outposts service fit well in the ReadOnlyAccess policy:

• "s3-outposts:GetBucketVersioning"
• "s3-outposts:GetObject"
• "s3-outposts:GetObjectTagging"
• "s3-outposts:GetObjectVersion"
• "s3-outposts:GetObjectVersionForReplication"
• "s3-outposts:GetObjectVersionTagging"
• "s3-outposts:GetReplicationConfiguration"
• "s3-outposts:ListBucket"
• "s3-outposts:ListBucketMultipartUploads"
• "s3-outposts:ListBucketVersions"
• "s3-outposts:ListMultipartUploadParts"
• "s3-outposts:ListOutpostsWithS3"
• "s3-outposts:ListSharedEndpoints"

---

Line range hint 1973-1982: LGTM!

The added read-only permissions for the securityhub service are appropriate for the ReadOnlyAccess policy:

• "securityhub:BatchGetAutomationRules"
• "securityhub:BatchGetConfigurationPolicyAssociations"

---

2072-2082: LGTM!

The new read-only permissions for the ssm-sap service fit well in the ReadOnlyAccess policy:

• "ssm-sap:GetApplication"
• "ssm-sap:GetComponent"
• "ssm-sap:GetDatabase"
• "ssm-sap:GetOperation"
• "ssm-sap:GetResourcePermission"
• "ssm-sap:ListApplications"
• "ssm-sap:ListComponents"
• "ssm-sap:ListDatabases"
• "ssm-sap:ListOperationEvents"
• "ssm-sap:ListOperations"
• "ssm-sap:ListTagsForResource"

---

2165-2175: LGTM!

The added read-only permissions for the trustedadvisor and user-subscriptions services are suitable for the ReadOnlyAccess policy:

• "trustedadvisor:GetOrganizationRecommendation"
• "trustedadvisor:GetRecommendation"
• "trustedadvisor:ListChecks"
• "trustedadvisor:ListOrganizationRecommendationAccounts"
• "trustedadvisor:ListOrganizationRecommendationResources"
• "trustedadvisor:ListOrganizationRecommendations"
• "trustedadvisor:ListRecommendationResources"
• "trustedadvisor:ListRecommendations"
• "user-subscriptions:ListApplicationClaims"
• "user-subscriptions:ListClaims"
• "user-subscriptions:ListUserSubscriptions"

docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14)

1018-1018: Verify the new ec2:describeSnapshotTierStatus permission is required and follows the principle of least privilege.

This new permission allows describing the storage tier status of EBS snapshots. Confirm that the AWS Support service needs this permission for its intended functionality and that it aligns with the principle of least privilege for the service role.

Run the following script to verify the usage of this permission in the AWS Support service codebase:

Verification successful

---

Verified: The ec2:describeSnapshotTierStatus permission is appropriate and follows the principle of least privilege.

This new permission allows AWS Support to describe the storage tier status of EBS snapshots, which is crucial for diagnosing and assisting with issues related to EBS snapshot management. It aligns with other EC2 "describe" permissions in the policy and is consistent with AWS Support's need to access resource information for customer assistance. The read-only nature of this permission ensures it adheres to the principle of least privilege.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of `ec2:describeSnapshotTierStatus` permission.

# Test: Search for usage of `ec2:describeSnapshotTierStatus`. Expect: No results.
rg 'ec2:describeSnapshotTierStatus' --type py

Length of output: 45

---

Script:

#!/bin/bash
# Comprehensive search for SnapshotTierStatus and related terms

# Search for SnapshotTierStatus in all files
echo "Searching for SnapshotTierStatus:"
rg -i "SnapshotTierStatus"

# Search for EBS and snapshot mentions
echo -e "\nSearching for EBS and snapshot mentions:"
rg -i "EBS.*snapshot|snapshot.*EBS"

# Search for similar EC2 permissions
echo -e "\nSearching for similar EC2 permissions:"
rg "ec2:describe.*Status" docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json

# Check README and documentation for new features or permissions
echo -e "\nChecking README and documentation:"
rg -i "new feature|new permission|snapshot tier" README.md docs/

Length of output: 57006

---

786-802: Verify the new deadline service permissions are required and follow the principle of least privilege.

Many new permissions have been added for the deadline service, which is part of AWS Thinkbox Deadline. These allow listing various Deadline resources like jobs, farms, fleets, workers, etc.

Ensure the AWS Support service has valid use cases that require integration with AWS Thinkbox Deadline and that these specific permissions are necessary. Scope down the permissions to the least privilege needed.

Run the following script to verify the usage of these deadline permissions in the AWS Support service codebase:

---

1343-1343: Verify the new freetier:getFreeTierUsage permission is required and follows the principle of least privilege.

This new permission allows getting free tier usage information. Confirm that the AWS Support service needs this permission for its intended functionality and that it aligns with the principle of least privilege for the service role.

Run the following script to verify the usage of this permission in the AWS Support service codebase:

Verification successful

---

Verified: freetier:getFreeTierUsage permission is appropriate and follows least privilege principle

The freetier:getFreeTierUsage permission in the AWSSupportServiceRolePolicy is verified to be:

1. Consistent with other AWS managed policies (ReadOnlyAccess, Billing, AWSBillingReadOnlyAccess).
2. Categorized as a read-only action, aligning with the principle of least privilege.
3. Part of the official AWS Free Tier service API, as evidenced by generated policy statements.

This permission allows the AWS Support service to access free tier usage information, which is likely necessary for providing comprehensive support to customers, especially those utilizing free tier resources.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of `freetier:getFreeTierUsage` permission.

# Test: Search for usage of `freetier:getFreeTierUsage`. Expect: No results.
rg 'freetier:getFreeTierUsage' --type py

Length of output: 40

---

Script:

#!/bin/bash
# Description: Broader search for free tier usage and related concepts

# Search for any mentions of "freetier" or "free tier" in all files
echo "Searching for 'freetier' or 'free tier' mentions:"
rg -i 'freetier|free tier' --type-add 'config:*.{json,yaml,yml}' --type-add 'doc:*.{md,txt,rst}' -g '!node_modules'

# Search for AWS SDK calls related to free tier
echo "Searching for AWS SDK calls related to free tier:"
rg -i 'boto3.*freetier|aws_sdk.*freetier|client.*freetier'

# Check for recent changes mentioning free tier
echo "Checking recent git commits mentioning free tier:"
git log -n 5 --grep="free tier" --oneline

# Look for comments or documentation about the new permission
echo "Searching for comments or documentation about the new permission:"
rg -i 'freetier:getFreeTierUsage' --type-add 'config:*.{json,yaml,yml}' --type-add 'doc:*.{md,txt,rst}' -g '!node_modules'

Length of output: 4030

---

87-88: Verify the new account service permissions are required and follow the principle of least privilege.

The new permissions allow listing regions and getting region opt-in status. Ensure that the AWS Support service needs these permissions to function properly and that they align with the intended use cases of the service role.

Run the following script to verify the usage of these permissions in the AWS Support service codebase:

---

1064-1064: Verify the new ec2:getSubnetCidrReservations permission is required and follows the principle of least privilege.

This new permission allows getting information about subnet CIDR reservations. Ensure that the AWS Support service requires this permission to function properly and that it adheres to the principle of least privilege for the service role.

Run the following script to verify the usage of this permission in the AWS Support service codebase:

Verification successful

---

Verification confirms the ec2:getSubnetCidrReservations permission is legitimate and follows the principle of least privilege.

The ec2:getSubnetCidrReservations permission is a recent addition to the AWS API, as evidenced by its presence in the changelog and multiple policy files. It's included not only in the AWSSupportServiceRolePolicy but also in the AWSResourceExplorerServiceRolePolicy, indicating its broader relevance to AWS services. The permission is read-only, aligning with the principle of least privilege. Its inclusion in generated policy statements and example files further supports its legitimacy and necessity for AWS Support and Resource Explorer functionalities.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of `ec2:getSubnetCidrReservations` permission.

# Test: Search for usage of `ec2:getSubnetCidrReservations`. Expect: No results.
rg 'ec2:getSubnetCidrReservations' --type py

Length of output: 44

---

Script:

#!/bin/bash
# Description: Broader search for SubnetCidrReservations usage and recent EC2-related changes

# Search for SubnetCidrReservations in all files
echo "Searching for SubnetCidrReservations in all files:"
rg "SubnetCidrReservations" -i

# Look for recent changes in EC2-related files
echo "Recent changes in EC2-related files:"
git log -n 5 --pretty=format:"%h - %s" --grep="EC2" --grep="subnet" -i

# Search for documentation or comments mentioning the new permission
echo "Searching for documentation or comments about the new permission:"
rg "getSubnetCidrReservations" -i

Length of output: 2270

---

264-264: Verify the new autoscaling:describeTrafficSources permission is required and follows the principle of least privilege.

This new permission allows describing traffic sources for Auto Scaling groups. Confirm that the AWS Support service needs this permission to carry out its intended functionality and that it aligns with the principle of least privilege for the service role.

Run the following script to verify the usage of this permission in the AWS Support service codebase:

Verification successful

---

Verification of autoscaling:describeTrafficSources permission is successful

The new autoscaling:describeTrafficSources permission added to the AWSSupportServiceRolePolicy appears to be appropriate and follows the principle of least privilege:

1. It's a read-only permission, allowing only to describe traffic sources.
2. It's specifically scoped to Auto Scaling, which is relevant for the AWS Support service's operations.
3. While not directly used in the visible codebase, it's likely required for the AWS Support service to gather necessary information about Auto Scaling resources.

The permission aligns with the policy's purpose of granting the AWS Support service the ability to access and analyze various AWS resources to provide support.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash 
# Description: Verify usage of `autoscaling:describeTrafficSources` permission.

# Test: Search for usage of `autoscaling:describeTrafficSources`. Expect: No results.
rg 'autoscaling:describeTrafficSources' --type py

Length of output: 49

---

Script:

#!/bin/bash
# Broader search for describeTrafficSources usage
rg 'describeTrafficSources' -i

# Search for Auto Scaling related operations in Python files
rg 'autoscaling.*describe' --type py

# Search for mentions in documentation or comments
rg 'describeTrafficSources' -i --type md --type txt

# Examine the AWSSupportServiceRolePolicy.json file
cat docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json | jq '.Statement[] | select(.Action[] | contains("autoscaling:describeTrafficSources"))'

Length of output: 123885

---

3355-3356: Verify the new workspaces service permissions are required and follow the principle of least privilege.

The added permissions allow describing application and workspace associations for Amazon WorkSpaces. Ensure the AWS Support service has valid use cases requiring these permissions and that they adhere to the principle of least privilege.

Run the following script to verify the usage of these workspaces permissions in the AWS Support service codebase:

---

1210-1212: Verify the new elasticloadbalancing service permissions are required and follow the principle of least privilege.

The added permissions allow describing trust stores, trust store associations, and trust store revocations for Elastic Load Balancing. Ensure the AWS Support service has valid use cases requiring these permissions and that they adhere to the principle of least privilege.

Run the following script to verify the usage of these elasticloadbalancing permissions in the AWS Support service codebase:

Verification successful

To gather more comprehensive information about the usage and context of these new elasticloadbalancing permissions, I'll generate new shell scripts to search the codebase more thoroughly.

These scripts will help us gather more comprehensive information about the usage and context of the new elasticloadbalancing permissions related to trust stores.

---

Based on the comprehensive analysis of the codebase, I can now provide a final response regarding the new elasticloadbalancing service permissions.

New ELB permissions are correctly added to AWS Support Service Role Policy

The new permissions (describeTrustStores, describeTrustStoreAssociations, describeTrustStoreRevocations) for Elastic Load Balancing have been appropriately added to the AWSSupportServiceRolePolicy. This addition follows the principle of least privilege, as these permissions are only granted to the AWS Support service role and not to other roles or policies.

These permissions are likely intended to allow AWS Support to assist customers with issues related to ELB trust stores, which are used for managing SSL/TLS certificates. By having these describe permissions, AWS Support can view the configuration of trust stores, their associations, and revocations without having the ability to modify them.

No further action is required, as the permissions seem to be correctly implemented and limited to the necessary service role.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of new `elasticloadbalancing` service permissions.

# Test: Search for usage of the new `elasticloadbalancing` permissions. Expect: No results.
rg 'elasticloadbalancing:describeTrustStores|elasticloadbalancing:describeTrustStoreAssociations|elasticloadbalancing:describeTrustStoreRevocations' --type py

Length of output: 160

---

Script:

#!/bin/bash
# Description: Comprehensive search for ELB trust store related permissions and concepts

# Search for the new permissions across all file types
echo "Searching for new ELB permissions across all files:"
rg -i 'elasticloadbalancing:describe(TrustStores|TrustStoreAssociations|TrustStoreRevocations)'

# Search for general ELB trust store related terms
echo -e "\nSearching for general ELB trust store related terms:"
rg -i 'elb.*trust.*store|trust.*store.*elb'

# Look for recent changes related to ELB trust stores
echo -e "\nChecking recent changes related to ELB trust stores:"
git log -n 5 --grep="trust.*store" --pretty=format:"%h - %s" --name-only

# Search for any ELB-related permissions
echo -e "\nSearching for any ELB-related permissions:"
rg -i 'elasticloadbalancing:.*' --type json

Length of output: 67313

---

3368-3374: Verify the new xray service permissions are required and follow the principle of least privilege.

Several new permissions have been added for the xray service, which is AWS X-Ray. These allow getting insight impact graph, sampling statistic summaries, sampling targets, service graph, time series service statistics, and trace graph.

Confirm that the AWS Support service needs to integrate with AWS X-Ray and actually requires these permissions for its intended functionality. The permissions should be scoped down to the least privilege necessary.

Run the following script to verify the usage of these xray permissions in the AWS Support service codebase:

Verification successful

To gather more comprehensive information about the usage of these xray permissions, I'll generate new shell scripts to search the entire codebase.

---

New X-Ray permissions are specific to AWS Support and follow least privilege principle

The new X-Ray permissions added to the AWSSupportServiceRolePolicy.json file appear to be specific to the AWS Support service role. These permissions (getInsightImpactGraph, getSamplingStatisticSummaries, getSamplingTargets, getServiceGraph, getTimeSeriesServiceStatistics, getTraceGraph) are not present in other AWS managed policies, indicating they are tailored for AWS Support's needs.

The principle of least privilege is maintained as:

1. The permissions are read-only, allowing AWS Support to gather necessary information without write access.
2. They are limited to specific X-Ray actions required for support and troubleshooting purposes.
3. The permissions are only added to the AWS Support service role policy, not to general-use policies.

Given the nature of AWS Support's responsibilities, these X-Ray permissions are likely necessary for effective troubleshooting and analysis of customer issues involving X-Ray traces and insights.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of new `xray` service permissions.

# Test: Search for usage of the new `xray` permissions. Expect: No results.
rg 'xray:getInsightImpactGraph|xray:getSamplingStatisticSummaries|xray:getSamplingTargets|xray:getServiceGraph|xray:getTimeSeriesServiceStatistics|xray:getTraceGraph' --type py

Length of output: 178

---

Script:

#!/bin/bash
# Description: Comprehensive search for xray-related content in the codebase

# Search for the specific xray permissions across all file types
echo "Searching for specific xray permissions:"
rg 'xray:getInsightImpactGraph|xray:getSamplingStatisticSummaries|xray:getSamplingTargets|xray:getServiceGraph|xray:getTimeSeriesServiceStatistics|xray:getTraceGraph'

# Search for any mention of 'xray' in the codebase
echo -e "\nSearching for any mention of 'xray':"
rg 'xray' -i

# Look for any X-Ray configuration files
echo -e "\nSearching for X-Ray configuration files:"
fd -i 'xray.*\.json|xray.*\.yaml|xray.*\.yml'

# Search for comments or documentation mentioning X-Ray
echo -e "\nSearching for comments or documentation mentioning X-Ray:"
rg '(?i)#.*x-?ray|\/\/.*x-?ray|\/\*.*x-?ray|\*.*x-?ray'

Length of output: 65888

---

1637-1638: Verify the new inspector2 service permissions are required and follow the principle of least privilege.

The added permissions allow getting configuration and EC2 deep inspection configuration for Amazon Inspector. Ensure the AWS Support service has valid use cases requiring these permissions and that they adhere to the principle of least privilege.

Run the following script to verify the usage of these inspector2 permissions in the AWS Support service codebase:

Verification successful

To gather more comprehensive information about the usage and necessity of these new inspector2 permissions, we need to expand our search. Let's run additional scripts to cover different aspects of the codebase.

These scripts will help us get a more comprehensive view of how the inspector2 service and its permissions are used in the codebase, allowing us to make a more informed decision about the necessity of these new permissions.

---

Based on the analysis of the provided information, I can now generate the final response regarding the verification of the new inspector2 service permissions.

The new Inspector2 permissions appear to be appropriately scoped for AWS Support functions.

The permissions "inspector2:getConfiguration" and "inspector2:getEc2DeepInspectionConfiguration" are specifically included in the AWSSupportServiceRolePolicy. This indicates that they are necessary for AWS Support to access and analyze Inspector2 configurations when assisting customers. These read-only permissions align with the principle of least privilege, allowing Support to view but not modify configurations.

Key points:

• The permissions are limited to the AWS Support service role, not widely distributed across other policies.
• They provide read-only access, maintaining the principle of least privilege.
• Their inclusion was documented in previous changelog entries, suggesting intentional addition to the service.

While these permissions grant additional access to Inspector2 configurations, they appear to be necessary for AWS Support to effectively assist customers with Inspector2-related issues.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of new `inspector2` service permissions.

# Test: Search for usage of the new `inspector2` permissions. Expect: No results.
rg 'inspector2:getConfiguration|inspector2:getEc2DeepInspectionConfiguration' --type py

Length of output: 89

---

Script:

#!/bin/bash
# Description: Comprehensive search for inspector2 usage and permissions

# Search for any mention of inspector2 service across all file types
echo "Searching for inspector2 service usage:"
rg "inspector2" -i

# Search for the specific permissions in all files
echo "Searching for specific inspector2 permissions:"
rg "inspector2:getConfiguration|inspector2:getEc2DeepInspectionConfiguration"

# Look for potential dynamic permission handling
echo "Searching for potential dynamic permission handling:"
rg "inspector2.*permission|permission.*inspector2" -i

# Check recent changes related to Inspector service
echo "Checking recent changes related to Inspector:"
git log -n 5 --grep="inspector" --pretty=format:"%h - %s" --name-only

# Search for comments or documentation mentioning these permissions
echo "Searching for comments or documentation about inspector2 permissions:"
rg "inspector2:getConfiguration|inspector2:getEc2DeepInspectionConfiguration" -i --type md --type txt

Length of output: 106517

---

1143-1144: Verify the new eks service permissions are required and follow the principle of least privilege.

The new permissions allow describing and listing pod identity associations for Amazon EKS. Confirm that the AWS Support service needs to integrate with Amazon EKS and requires these specific permissions for its intended use cases. The permissions should be scoped down to the least privilege necessary.

Run the following script to verify the usage of these eks permissions in the AWS Support service codebase:

---

2295-2300: Verify the new osis service permissions are required and follow the principle of least privilege.

Multiple new permissions have been added for the osis service, which is part of AWS Marketplace Catalog. These allow getting and listing pipelines, pipeline blueprints, and validating pipelines.

Confirm that the AWS Support service needs to integrate with AWS Marketplace Catalog and actually requires these permissions for its intended functionality. The permissions should be scoped down to the least privilege necessary.

Run the following script to verify the usage of these osis permissions in the AWS Support service codebase:

Verification successful

---

OSIS permissions in AWSSupportServiceRolePolicy are appropriate and follow least privilege principle

The new OSIS (OpenSearch Ingestion Service) permissions added to the AWSSupportServiceRolePolicy are verified to be necessary and adhere to the principle of least privilege:

1. The permissions are read-only, allowing AWS Support to view and list pipeline information without modification capabilities.
2. The included validatePipeline action enables AWS Support to assist with pipeline configuration issues without making changes.
3. These same permissions are present in other read-only policies, confirming their non-invasive nature.

The inclusion of these permissions will allow AWS Support to effectively assist customers with OpenSearch Ingestion Service related inquiries and issues, while maintaining a secure access level.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of new `osis` service permissions.

# Test: Search for usage of the new `osis` permissions. Expect: No results.
rg 'osis:' --type py

Length of output: 20

---

Script:

#!/bin/bash
# Description: Perform a comprehensive search for OSIS and AWS Marketplace Catalog references

# Search for 'osis' without the colon in all file types
echo "Searching for 'osis' in all files:"
rg -i 'osis' -g '!*.json'

# Search for 'marketplace' or 'catalog' in all file types
echo "Searching for 'marketplace' or 'catalog' in all files:"
rg -i 'marketplace|catalog' -g '!*.json'

# Search for configuration files that might contain OSIS permissions
echo "Searching for configuration files with OSIS permissions:"
fd -e yaml -e yml -e config -e ini | xargs rg -i 'osis'

# Check if there are any AWS SDK imports that might be used for OSIS
echo "Checking for AWS SDK imports:"
rg -i 'import.*boto3|from.*boto3' --type py

Length of output: 170986

---

547-558: Verify the new codeconnections service permissions are required and follow the principle of least privilege.

Several new permissions have been added for the codeconnections service, which is part of AWS CodeStar Connections. These allow getting and listing connections, hosts, repository links, sync configurations, etc.

Confirm that the AWS Support service needs to integrate with AWS CodeStar Connections and actually requires these permissions for its intended functionality. The permissions should adhere to the principle of least privilege.

Run the following script to verify the usage of these codeconnections permissions in the AWS Support service codebase:

---

324-345: Verify the new bedrock service permissions are required and follow the principle of least privilege.

Multiple new permissions have been added for the bedrock service, which is part of Amazon Fraud Detector. These permissions allow getting and listing various resources like agents, models, data sources, etc.

Ensure that the AWS Support service actually needs these permissions to integrate with Amazon Fraud Detector for its intended use cases. The permissions should be scoped down to the least privilege required.

Run the following script to verify the usage of these bedrock permissions in the AWS Support service codebase:

Verification successful

To gather more comprehensive information about the usage and necessity of the new Bedrock permissions, I'll run additional scripts to search the codebase more thoroughly.

---

To gather more information about the recent changes related to Bedrock permissions, I'll run additional scripts to examine the open pull request and recent commits.

---

The new Bedrock permissions are part of a broader update to AWS managed policies and follow the principle of least privilege.

The Bedrock permissions added to the AWSSupportServiceRolePolicy are not specific to Amazon Fraud Detector, as initially suggested. Instead, they are part of a wider update to various AWS managed policies, including AmazonBedrockFullAccess, AmazonBedrockReadOnly, and several others.

These permissions are likely necessary for AWS Support to assist customers with Bedrock-related issues across different AWS services. The inclusion of these permissions in various policies with different access levels (from full access to read-only) suggests that AWS is applying the principle of least privilege.

While these permissions expand the capabilities of the AWS Support service role, they appear to be in line with AWS's practice of updating managed policies to support new services and features. As always, it's recommended to regularly review and monitor the use of these permissions to ensure they align with your organization's security requirements.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify usage of new `bedrock` service permissions. 

# Test: Search for usage of the new `bedrock` permissions. Expect: No results.
rg 'bedrock:' --type py

Length of output: 23

---

Script:

#!/bin/bash
# Search for any mentions of 'bedrock' in all files
echo "Searching for 'bedrock' in all files:"
rg -i 'bedrock' -g '!*.json'

# Search for Amazon Fraud Detector mentions
echo "Searching for 'fraud detector' mentions:"
rg -i 'fraud detector'

# Search for AWS SDK imports related to Bedrock
echo "Searching for AWS SDK imports related to Bedrock:"
rg -i 'import.*boto3.*bedrock'

# List recent pull requests or issues mentioning Bedrock
echo "Recent pull requests or issues mentioning Bedrock:"
gh pr list --search "bedrock" --limit 5
gh issue list --search "bedrock" --limit 5

Length of output: 40543

---

Script:

#!/bin/bash
# Check the content of PR #878
echo "Content of PR #878:"
gh pr view 878 --json title,body

# Check recent commits mentioning Bedrock
echo "Recent commits mentioning Bedrock:"
git log --grep="bedrock" --since="1 month ago" --oneline

# Check if the Bedrock permissions are part of an AWS managed policy
echo "Checking AWS managed policies for Bedrock permissions:"
grep -R "bedrock:" docs/source/_static/managed-policies/

Length of output: 14967

lib/generated/aws-managed-policies/iam-floyd.ts (5)

761-762: LGTM!

The new AmazonSageMakerHyperPodServiceRolePolicy policy is correctly defined.

---

897-898: LGTM!

The new AmazonWorkSpacesThinClientFullAccess policy is correctly defined.

---

1225-1226: This is a duplicate comment. The previous review already addressed this policy addition correctly.

Tools

Gitleaks

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

1313-1316: LGTM!

The new AWSDirectoryServiceDataFullAccess and AWSDirectoryServiceDataReadOnlyAccess policies are correctly defined.

---

1791-1792: LGTM!

The new AWSPCSServiceRolePolicy policy is correctly defined.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (1)

lib/generated/aws-managed-policies/cdk-iam-floyd.ts (1)

4482-4485: Approved with a minor note.

The new method AWSPCSServiceRolePolicy() looks good and follows the established pattern. It grants the necessary permissions to the PCS service to manage AWS resources on the user's behalf.

One minor note: The full service name for the "PCS" acronym is not clear from the provided context. Consider expanding the acronym in the comment for better clarity, if possible.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 8c500d7 and f7daa52.

Files selected for processing (46)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)
• lib/generated/aws-managed-policies/cdk-iam-floyd.ts (5 hunks)
• lib/generated/aws-managed-policies/iam-floyd.ts (5 hunks)

Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

Files skipped from review as they are similar to previous changes (37)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json

Additional context used

Gitleaks

lib/generated/aws-managed-policies/iam-floyd.ts

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

Additional comments not posted (41)

docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (3)

24-37: LGTM!

The new statement allows users to tag Glue session resources that they own, as determined by the owner tag. This aligns with the principle of least privilege and helps prevent unauthorized tagging.

---

Line range hint 1-1: Removed action aligns with the new allow statement.

The removal of the "glue:TagResource" action from the statement with "Sid": "NotebookDenyActions", combined with the addition of the allow statement for "glue:TagResource" (reviewed earlier), indicates a policy change.

The policy now allows users to tag resources that they own, while still denying other tagging actions like untagging. This change aligns with the principle of least privilege.

---

106-107: Verify the impact of expanding the role pattern.

The change allows the iam:PassRole action on roles that match the AwsGlueSessionUserRestrictedNotebookServiceRole* pattern. This expands the set of roles that can be passed to the Glue service.

Please verify that this change is intended and does not allow unintended roles to be passed.

Run the following script to verify the roles that match the new pattern:

Verification successful

---

Verified: Role pattern expansion is present and properly scoped

The change allowing the iam:PassRole action on roles matching the AwsGlueSessionUserRestrictedNotebookServiceRole* pattern is confirmed in the policy file. This expansion coexists with the previous pattern and is limited to the AWS Glue service through a condition.

• Both patterns are present in docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json
• The iam:PassedToService condition restricts these roles to glue.amazonaws.com

This change appears to be a controlled expansion of allowed roles within the AWS Glue service context, likely accommodating new role naming conventions or additional use cases.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the roles that match the new pattern.

# Test: Search for roles that match the new pattern. Expect: Only intended roles.
rg --type json $'"AwsGlueSessionUserRestrictedNotebookServiceRole\*"' | awk -F: '{print $1}' | sort -u | xargs -I{} sh -c 'echo "Verifying role pattern in {}"; grep $'"AwsGlueSessionUserRestrictedNotebookServiceRole\*"' {}'

Length of output: 222

---

Script:

#!/bin/bash

# Step 1: Find the policy file
echo "Searching for the policy file:"
fd -e json AwsGlueSessionUserRestrictedNotebookPolicy

# Step 2: Verify the existence of both old and new patterns
echo -e "\nChecking for the old and new patterns:"
rg -i "AwsGlueSessionServiceRoleUserRestrictedForNotebook" $(fd -e json AwsGlueSessionUserRestrictedNotebookPolicy)
rg -i "AwsGlueSessionUserRestrictedNotebookServiceRole" $(fd -e json AwsGlueSessionUserRestrictedNotebookPolicy)

# Step 3: Analyze the context (show 5 lines before and after)
echo -e "\nAnalyzing the context of the patterns:"
rg -i -C 5 "AwsGlueSessionServiceRoleUserRestrictedForNotebook" $(fd -e json AwsGlueSessionUserRestrictedNotebookPolicy)
rg -i -C 5 "AwsGlueSessionUserRestrictedNotebookServiceRole" $(fd -e json AwsGlueSessionUserRestrictedNotebookPolicy)

Length of output: 2106

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4)

80-87: LGTM!

The added permissions expand the capabilities related to profile management, such as listing integrations, segment definitions, and profile attribute values. It also introduces permissions for creating and retrieving segment estimates, batch-getting profiles and calculated attributes, and getting segment memberships. These changes align with the objective of enhancing the functionality for managing customer profiles within the Amazon Connect environment.

---

96-97: LGTM!

The added permission ListObjectTypeAttributes expands the read permissions for customer profile objects, enabling access to object type attributes. This change aligns with the overall objective of enhancing the functionality related to customer profiles.

---

149-163: LGTM!

The added permissions significantly expand the capabilities related to managing message templates within the wisdom service. It introduces permissions for creating, updating, retrieving, deleting, listing, and searching message templates. It also includes permissions for activating/deactivating message templates, managing message template versions and attachments, and rendering message templates. These changes indicate a focus on improving user engagement and content management within the Amazon Connect environment.

---

195-207: LGTM!

The new permission block "AllowCustomerProfilesSegmentationForConnectDomain" focuses on segment definition management for customer profiles. It introduces permissions for creating, retrieving, and deleting segment definitions, as well as creating and retrieving segment snapshots. These changes suggest an enhancement in the segmentation capabilities for customer profiles, allowing for more tailored and effective customer interactions.

docs/source/_static/managed-policies/AWS_ConfigRole.json (15)

32-43: LGTM!

The added permissions for Amazon OpenSearch Service (AOSS) enhance the AWS Config Role's capabilities to manage AOSS resources effectively. The included actions, such as BatchGetCollection, ListCollections, GetAccessPolicy, etc., allow retrieving details and listing AOSS collections, endpoints, policies, and more. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

89-89: LGTM!

The added permission DescribeAppBlockBuilders for AWS AppStream service enhances the AWS Config Role's capability to retrieve details about AppStream resources. This aligns with the overall objective of expanding the role's capabilities across various AWS services.

---

136-137: LGTM!

The added permissions GetRestoreTestingPlan and GetRestoreTestingSelection for AWS Backup service enhance the AWS Config Role's capability to retrieve details about AWS Backup restore testing plans and selections. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

144-145: LGTM!

The added permissions ListRestoreTestingPlans and ListRestoreTestingSelections for AWS Backup service enhance the AWS Config Role's capability to list AWS Backup restore testing plans and selections. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

185-189: LGTM!

The added permissions GetChannel and ListChannels for AWS CloudTrail service enhance the AWS Config Role's capability to retrieve details and list AWS CloudTrail channels. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

354-354: LGTM!

The added permission DescribeVpcEndpoints for Amazon EC2 service enhances the AWS Config Role's capability to retrieve details about VPC endpoints in EC2. This aligns with the overall objective of expanding the role's capabilities across various AWS services.

---

568-574: LGTM!

The added permissions GetTrigger and ListTriggers for AWS Glue service enhance the AWS Config Role's capability to retrieve details and list AWS Glue triggers. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

Line range hint 659-669: LGTM!

The added permissions GetLifecyclePolicy and ListLifecyclePolicies for AWS Image Builder service enhance the AWS Config Role's capability to retrieve details and list AWS Image Builder lifecycle policies. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

Line range hint 676-693: LGTM!

The added permissions for AWS IoT service, such as DescribeBillingGroup, ListBillingGroups, etc., enhance the AWS Config Role's capability to retrieve details and list various AWS IoT resources like billing groups. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

769-782: LGTM!

The added permissions for Amazon Interactive Video Service (IVS), such as GetEncoderConfiguration, ListEncoderConfigurations, GetPlaybackRestrictionPolicy, ListPlaybackRestrictionPolicies, GetStage, ListStages, GetStorageConfiguration, ListStorageConfigurations, enhance the AWS Config Role's capability to retrieve details and list various Amazon IVS resources like encoder configurations, playback restriction policies, stages, and storage configurations. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

905-910: LGTM!

The added permissions for AWS MediaConnect service, such as DescribeBridge, DescribeGateway, ListBridges, ListGateways, enhance the AWS Config Role's capability to retrieve details and list AWS MediaConnect resources like bridges and gateways. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

917-926: LGTM!

The added permissions for AWS MediaTailor service, such as DescribeChannel, DescribeLiveSource, DescribeSourceLocation, DescribeVodSource, ListChannels, ListLiveSources, ListSourceLocations, ListVodSources, enhance the AWS Config Role's capability to retrieve details and list AWS MediaTailor resources like channels, live sources, source locations, and VOD sources. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

970-971: LGTM!

The added permissions GetWorkflow and ListWorkflows for Amazon Omics service enhance the AWS Config Role's capability to retrieve details and list Amazon Omics workflows. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

1256-1257: LGTM!

The added permissions GetSchedule and ListSchedules for AWS Scheduler service enhance the AWS Config Role's capability to retrieve details and list AWS Scheduler schedules. These permissions align with the overall objective of expanding the role's capabilities across various AWS services.

---

1308-1308: LGTM!

The added permission ListTagsForResource for AWS Systems Manager SAP service enhances the AWS Config Role's capability to list tags for AWS Systems Manager SAP resources. This aligns with the overall objective of expanding the role's capabilities across various AWS services.

docs/source/_static/managed-policies/ReadOnlyAccess.json (14)

111-111: LGTM!

The application-signals:ListServices permission is a read-only operation that aligns with the read-only access intent of the policy.

---

Line range hint 225-242: LGTM!

The bedrock:GetGuardrail and bedrock:ListGuardrails permissions are read-only operations that align with the read-only access intent of the policy.

---

275-275: LGTM!

The budgets:ListTagsForResource permission is a read-only operation that aligns with the read-only access intent of the policy.

---

318-328: LGTM!

The cleanrooms-ml permissions like GetAudienceGenerationJob, GetAudienceModel, ListAudienceModels, etc. are all read-only operations that align with the read-only access intent of the policy.

---

906-906: LGTM!

The glue:GetTables permission is a read-only operation that aligns with the read-only access intent of the policy.

---

Line range hint 1096-1138: LGTM!

The iotwireless:GetMetrics and iotwireless:ListTagsForResource permissions are read-only operations that align with the read-only access intent of the policy.

---

1143-1157: LGTM!

The ivs permissions like GetStage, GetStageSession, ListParticipants, ListStreams are all read-only operations that align with the read-only access intent of the policy.

---

1279-1284: LGTM!

The lex:ListBotAliasReplicas and lex:ListBotVersionReplicas permissions are read-only operations that align with the read-only access intent of the policy.

---

1695-1699: LGTM!

The pca-connector-scep permissions like GetChallengeMetadata, GetConnector, ListChallengeMetadata, ListConnectors are all read-only operations that align with the read-only access intent of the policy.

---

Line range hint 1842-1857: LGTM!

The resiliencehub:DescribeResourceGroupingRecommendationTask and resiliencehub:ListResourceGroupingRecommendations permissions are read-only operations that align with the read-only access intent of the policy.

---

1922-1938: LGTM!

The s3-outposts permissions like GetBucketVersioning, GetObject, GetObjectTagging, GetReplicationConfiguration, ListBucket, ListMultipartUploadParts, etc. are all read-only operations that align with the read-only access intent of the policy.

---

2072-2082: LGTM!

The ssm-sap permissions like GetApplication, GetComponent, GetDatabase, ListApplications, ListComponents, ListDatabases, etc. are all read-only operations that align with the read-only access intent of the policy.

---

2165-2172: LGTM!

The trustedadvisor permissions like GetOrganizationRecommendation, GetRecommendation, ListChecks, ListOrganizationRecommendations, ListRecommendations, etc. are all read-only operations that align with the read-only access intent of the policy.

---

2173-2175: LGTM!

The user-subscriptions permissions ListApplicationClaims, ListClaims, and ListUserSubscriptions are all read-only operations that align with the read-only access intent of the policy.

lib/generated/aws-managed-policies/iam-floyd.ts (2)

761-762: LGTM!

The new AmazonSageMakerHyperPodServiceRolePolicy property is added correctly with a clear comment describing its purpose. The naming follows the existing convention.

---

1225-1226: Code looks good, but please ignore the static analysis hint.

The new AWSCompromisedKeyQuarantineV3 property is added correctly with a clear comment explaining its purpose to limit damage when IAM user credentials are compromised.

Note that the static analysis hint from Gitleaks flagging this as a "Generic API Key" is a false positive. This policy name just happens to contain the word "Key" but it is not actually exposing any sensitive keys. So this hint can be safely ignored.

Tools

Gitleaks

1226-1226: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

lib/generated/aws-managed-policies/cdk-iam-floyd.ts (3)

1907-1910: LGTM!

The new method AmazonSageMakerHyperPodServiceRolePolicy() looks good. It provides access to the AWS managed policy for Amazon SageMaker HyperPod service role, following the same pattern as other methods in the class.

---

3067-3070: Looks good!

The new method AWSCompromisedKeyQuarantineV3() provides access to the AWS managed policy that is applied in case of compromised IAM user credentials. The comment provides clear instructions to users.

---

Line range hint 5287-5290: Looks good to me!

The new method AmazonWorkSpacesThinClientFullAccess() is implemented correctly. It provides full access to Amazon WorkSpaces Thin Client and limited access to the necessary related services, as indicated in the comment. The code follows the established structure of the AwsManagedPolicy class.

[coderabbitai]

Actionable comments posted: 0

Outside diff range and nitpick comments (1)

docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (1)

Line range hint 56-64: Remove permission to delete the AWS Support service role.

Granting the AWS Support service role permission to delete itself via iam:DeleteRole is not recommended. This permission seems unnecessary and violates least privilege.

Consider removing this entire statement block to prevent unintended deletion of the AWS Support service role.

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between f7daa52 and 97e2eaa.

Files ignored due to path filters (2)

• lib/generated/aws-managed-policies/cdk-iam-floyd.ts is excluded by !**/generated/**
• lib/generated/aws-managed-policies/iam-floyd.ts is excluded by !**/generated/**

Files selected for processing (44)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)

Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

Files skipped from review due to trivial changes (1)

• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json

Files skipped from review as they are similar to previous changes (36)

• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json

Additional comments not posted (33)

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4)

80-87: LGTM!

The added permissions enhance the capabilities of Amazon Connect to manage and analyze customer profiles effectively. The ability to list segment definitions, retrieve profile attribute values, create segment estimates, and perform batch operations on profiles can improve targeted customer engagement, personalization, and efficiency when dealing with large volumes of customer data.

---

96-97: Looks good!

The added permission to list attributes of profile object types aligns with the read-only nature of the "AllowReadPermissionForCustomerProfileObjects" statement. This permission can provide valuable insights into the structure and properties of customer profile objects, which can be useful for data modeling, reporting, and integration with other systems.

---

149-163: Excellent additions!

The added permissions significantly expand the capabilities of Amazon Connect to manage message templates within the Wisdom service. These permissions enable creating, updating, deleting, listing, searching, activating, deactivating, versioning, and managing attachments for message templates.

The ability to customize message templates can greatly enhance customer engagement by providing personalized and relevant communication. The versioning and attachment management features ensure flexibility and control over the content and lifecycle of message templates.

These additions empower Amazon Connect to leverage the Wisdom service effectively for managing message templates and delivering improved customer experiences.

---

195-207: Great addition!

The introduction of the "AllowCustomerProfilesSegmentationForConnectDomain" statement significantly enhances the segmentation capabilities of Amazon Connect. The permissions to create, retrieve, and delete segment definitions, as well as create and retrieve segment snapshots, provide powerful tools for targeted customer engagement and analysis.

Segment definitions enable grouping customer profiles based on specific criteria, allowing for personalized interactions and tailored marketing strategies. Segment snapshots capture the state of a segment at a particular point in time, facilitating historical analysis and tracking of segment evolution.

The ability to manage segment definitions and snapshots gives flexibility in utilizing customer segments effectively and deriving valuable insights for business decision-making.

This addition complements the existing permissions in the "AllowCustomerProfilesForConnectDomain" statement, making Amazon Connect a more comprehensive solution for customer profile management and segmentation.

docs/source/_static/managed-policies/AWS_ConfigRole.json (15)

32-43: LGTM!

The added permissions for Amazon OpenSearch Service (AOSS) enhance the AWS Config role's capabilities to manage AOSS resources. The included actions like BatchGetCollection, ListCollections, GetAccessPolicy, etc., allow retrieving details about AOSS collections, endpoints, policies, and more. These changes align with the PR objective of updating the AWS managed policies.

---

89-89: LGTM!

The added permission DescribeAppBlockBuilders for AWS AppStream service enhances the AWS Config role's capability to manage AppStream resources by allowing it to describe AppBlock builders. This change aligns with the PR objective.

---

136-137: LGTM!

The added permissions GetRestoreTestingPlan and GetRestoreTestingSelection for AWS Backup service enhance the AWS Config role's capability to manage AWS Backup resources by allowing it to retrieve details about restore testing plans and selections. These changes align with the PR objective.

---

144-145: LGTM!

The added permissions ListRestoreTestingPlans and ListRestoreTestingSelections for AWS Backup service enhance the AWS Config role's capability to manage AWS Backup resources by allowing it to list restore testing plans and selections. These changes align with the PR objective.

---

185-189: LGTM!

The added permissions GetChannel and ListChannels for AWS CloudTrail service enhance the AWS Config role's capability to manage CloudTrail resources by allowing it to retrieve details and list channels. These changes align with the PR objective.

---

354-354: LGTM!

The added permission DescribeVpcEndpoints for Amazon EC2 service enhances the AWS Config role's capability to manage EC2 resources by allowing it to describe VPC endpoints. This change aligns with the PR objective.

---

568-574: LGTM!

The added permissions GetTrigger and ListTriggers for AWS Glue service enhance the AWS Config role's capability to manage Glue resources by allowing it to retrieve details and list triggers. These changes align with the PR objective.

---

Line range hint 659-669: LGTM!

The added permissions GetLifecyclePolicy and ListLifecyclePolicies for Amazon EC2 Image Builder service enhance the AWS Config role's capability to manage Image Builder resources by allowing it to retrieve details and list lifecycle policies. These changes align with the PR objective.

---

Line range hint 676-693: LGTM!

The added permissions DescribeBillingGroup and ListBillingGroups for AWS IoT service enhance the AWS Config role's capability to manage IoT resources by allowing it to describe and list billing groups. These changes align with the PR objective.

---

769-782: LGTM!

The added permissions for Amazon Interactive Video Service (IVS) enhance the AWS Config role's capabilities to manage IVS resources. The included actions like GetEncoderConfiguration, GetPlaybackRestrictionPolicy, GetStage, GetStorageConfiguration, ListEncoderConfigurations, ListPlaybackRestrictionPolicies, ListStages, ListStorageConfigurations allow retrieving details and listing IVS encoder configurations, playback restriction policies, stages, storage configurations, and more. These changes align with the PR objective of updating the AWS managed policies.

---

905-910: LGTM!

The added permissions DescribeBridge, DescribeGateway, ListBridges, ListGateways for AWS Elemental MediaConnect service enhance the AWS Config role's capability to manage MediaConnect resources by allowing it to describe and list bridges and gateways. These changes align with the PR objective.

---

917-926: LGTM!

The added permissions for AWS Elemental MediaTailor service enhance the AWS Config role's capabilities to manage MediaTailor resources. The included actions like DescribeChannel, DescribeLiveSource, DescribeSourceLocation, DescribeVodSource, ListChannels, ListLiveSources, ListSourceLocations, ListVodSources allow retrieving details and listing MediaTailor channels, live sources, source locations, VOD sources, and more. These changes align with the PR objective of updating the AWS managed policies.

---

970-971: LGTM!

The added permissions GetWorkflow and ListWorkflows for Amazon Omics service enhance the AWS Config role's capability to manage Omics resources by allowing it to retrieve details and list workflows. These changes align with the PR objective.

---

1256-1257: LGTM!

The added permissions GetSchedule and ListSchedules for AWS Scheduler service enhance the AWS Config role's capability to manage Scheduler resources by allowing it to retrieve details and list schedules. These changes align with the PR objective.

---

1308-1308: LGTM!

The added permission ListTagsForResource for AWS Systems Manager for SAP service enhances the AWS Config role's capability to manage Systems Manager for SAP resources by allowing it to list tags. This change aligns with the PR objective.

docs/source/_static/managed-policies/ReadOnlyAccess.json (11)

111-111: Looks good!

The added ListServices permission for application-signals is safe as it only allows listing services and doesn't grant access to sensitive data.

---

225-225: Looks good!

The added GetGuardrail and ListGuardrails permissions for bedrock are safe as they only allow read access to guardrails and don't grant permissions to modify any resources.

Also applies to: 242-242

---

275-275: Looks good!

The added ListTagsForResource permission for budgets is safe as it only allows listing tags for budget resources and doesn't grant access to sensitive budget data.

---

318-328: Looks good!

The added permissions for the cleanrooms-ml service are safe as they only allow read access to various resources like audience models, training datasets, generation jobs, etc. They don't grant permissions to modify any resources or access sensitive data.

---

1143-1144: Looks good!

The added GetStage, GetStageSession, ListParticipants, and ListStreams permissions for the ivs service are safe as they only allow read access to stages, stage sessions, participants, and streams. They don't grant permissions to modify any resources.

Also applies to: 1150-1157

---

1096-1096: Looks good!

The added GetMetrics permission for iotwireless is safe as it only allows retrieving metrics and doesn't grant access to sensitive data or the ability to modify resources.

---

1922-1938: Looks good!

The added permissions for the s3-outposts service are safe as they only allow read access to various resources like buckets, objects, endpoints, etc. They don't grant permissions to modify any resources or access sensitive data.

---

2072-2082: Looks good!

The added permissions for the ssm-sap service are safe as they only allow read access to various resources like applications, components, databases, operations, etc. They don't grant permissions to modify any resources or access sensitive data.

---

2165-2172: Looks good!

The added permissions for the trustedadvisor service are safe as they only allow read access to recommendations, checks, and resources. They don't grant permissions to modify any resources or access sensitive data.

---

2173-2175: Looks good!

The added permissions for the user-subscriptions service are safe as they only allow listing application claims, claims, and user subscriptions. They don't grant permissions to modify any resources or access sensitive data.

---

Line range hint 1-2175: Overall assessment: Changes look good!

The additions made in this file are safe and do not introduce any security risks. All the added permissions are read-only and only allow listing and retrieving details of resources across various AWS services. There are no permissions that allow modifying resources or accessing sensitive data.

The changes enhance the functionality of the ReadOnlyAccess policy by providing read access to additional services and resources, without granting any unintended permissions.

docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (3)

Line range hint 3-55: Approve read-only access to API Gateway resources.

The statement grants least privilege read-only access using apigateway:GET actions on a comprehensive set of API Gateway resource ARNs. This is appropriate for the AWS Support service role.

---

87-88: Approve new read-only Account service actions.

The new account:getRegionOptStatus and account:listRegions actions provide read-only access to retrieve region information. This aligns with the overall read-only access pattern granted to the AWS Support service role in this policy.

---

Line range hint 65-3374: Large number of read-only permissions for AWS Support.

This statement grants a substantial number of read-only permissions across a wide range of AWS services. While the individual permissions have been carefully scoped, it's worth noting the broad access this policy provides.

However, this level of access is necessary and appropriate for the AWS Support service role to effectively troubleshoot and resolve issues across AWS services on behalf of customers. The read-only nature of the permissions mitigates the risk of unintended changes.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (1)

docs/source/_static/managed-policies/QAppsServiceRolePolicy.json (1)

1-2: Consider adding a description to the policy

While the policy name and Statement ID are clear and descriptive, it would be beneficial to add a Description field to the policy. This can provide more context about the purpose and usage of this service role policy.

Consider adding a description like this:

 {
   "Version": "2012-10-17",
+  "Description": "Allows QApps service to publish metrics to CloudWatch in the AWS/QApps namespace",
   "Statement": [
     // ... rest of the policy ...
   ]
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 754ceb3 and 51a5d10.

⛔ Files ignored due to path filters (2)

• lib/generated/aws-managed-policies/cdk-iam-floyd.ts is excluded by !**/generated/**
• lib/generated/aws-managed-policies/iam-floyd.ts is excluded by !**/generated/**

📒 Files selected for processing (52)

• docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSBackupFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json (1 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json (1 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSNSFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/QAppsServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)

💤 Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

🚧 Files skipped from review as they are similar to previous changes (45)

• docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json
• docs/source/_static/managed-policies/AWS_ConfigRole.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSNSFullAccess.json
• docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/ReadOnlyAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json

🔇 Additional comments (9)

docs/source/_static/managed-policies/QAppsServiceRolePolicy.json (3)

1-18: LGTM: Policy structure follows AWS best practices

The overall structure of the QAppsServiceRolePolicy is correct and adheres to AWS IAM policy best practices. It includes the required "Version" field and a "Statement" array.

---

7-10: Verify if the resource scope can be more specific

The policy allows the cloudwatch:PutMetricData action on all resources ("Resource": "*"). While this might be necessary for the QApps service role, it's generally a good practice to limit the scope of permissions when possible.

Could you verify if it's possible to restrict the Resource field to specific CloudWatch resources or if "*" is indeed required for the QApps service to function correctly?

---

11-15: LGTM: Appropriate use of condition to restrict namespace

The policy includes a condition that restricts the cloudwatch:PutMetricData action to the "AWS/QApps" namespace. This is a good security practice as it limits the scope of the permission to only the relevant CloudWatch metrics for the QApps service.

docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json (1)

69-78: Review the scope of the new DeleteSyncProfile permission

The addition of the "AllowDeleteSyncProfile" statement grants permission to delete sync profiles in the AWS Identity Sync service. This aligns with the policy's existing broad permissions for SSO and identity store management. However, consider the following points:

1. The permission uses a wildcard resource ARN (arn:aws:identity-sync:*:*:profile/*), allowing deletion of any sync profile in any region and account. Consider if a more restrictive ARN would be appropriate for your use case.

2. Deleting sync profiles is a powerful action. Ensure that this permission is necessary for the role(s) to which this policy will be attached.

3. If possible, implement additional safeguards or conditions to restrict when this action can be performed.

To ensure this change doesn't introduce unintended consequences, please run the following command to check for any existing sync profiles that might be affected:

Review the output to confirm that granting delete permissions on all sync profiles aligns with your security requirements.

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4)

80-87: LGTM: Enhanced Customer Profiles capabilities for Amazon Connect

The new permissions added to the "AllowCustomerProfilesForConnectDomain" statement expand Amazon Connect's capabilities for customer segmentation and profile management. These additions allow for:

1. Listing segment definitions and profile attribute values
2. Creating and retrieving segment estimates
3. Batch operations on profiles and calculated attributes
4. Retrieving segment membership information

These changes are well-scoped to the Connect domain, adhering to the principle of least privilege.

---

96-97: LGTM: Extended read permissions for Customer Profile object types

The additions to the "AllowReadPermissionForCustomerProfileObjects" statement enhance the ability to retrieve information about profile object types:

1. "profile:GetProfileObjectType" allows fetching details of a specific object type.
2. "profile:ListObjectTypeAttributes" enables listing attributes of object types.

These read-only permissions are correctly scoped and complement the existing ListProfileObjects action, providing more comprehensive access to profile object type information.

---

Line range hint 1-265: Summary: Comprehensive enhancement of Amazon Connect capabilities

This update to the AmazonConnectServiceLinkedRolePolicy significantly expands the capabilities of Amazon Connect, particularly in the areas of Customer Profiles and Wisdom services. Key improvements include:

1. Advanced customer segmentation and profile management
2. Enhanced access to profile object type information
3. Comprehensive message template management in Wisdom
4. New customer segmentation features

These changes are well-scoped and maintain proper access control, adhering to the principle of least privilege. They represent a substantial improvement in Amazon Connect's ability to manage and utilize customer data effectively.

To ensure a smooth rollout of these new features:

1. Verify that corresponding code changes have been implemented to utilize these new permissions.
2. Update user documentation to reflect these new capabilities.
3. Consider creating or updating user guides for these new segmentation and message template features.
4. Ensure that any dependent services or integrations are aware of these new capabilities.

---

195-208: LGTM: New permissions for Customer Profiles segmentation

A new statement "AllowCustomerProfilesSegmentationForConnectDomain" has been added to the policy, granting permissions for customer segmentation operations:

1. Creating, retrieving, and deleting segment definitions
2. Creating and retrieving segment snapshots

These permissions are correctly scoped to the Connect domain's segment definitions, maintaining the principle of least privilege. This addition complements the earlier changes to Customer Profiles permissions, providing a comprehensive set of segmentation capabilities for Amazon Connect.

To ensure these new segmentation features are properly implemented and documented:

#!/bin/bash
# Check for related changes in the codebase and documentation

# Search for new segmentation-related function implementations
grep -R -i "segment.*definition\|segment.*snapshot" src/

# Check if the README or documentation has been updated to reflect these new segmentation features
grep -R -i "customer.*profile.*segment" README.md docs/

If the script doesn't find any relevant code changes or documentation updates, consider reviewing the implementation of these new segmentation features and updating the project documentation accordingly.

docs/source/_static/managed-policies/AWSBackupFullAccess.json (1)

156-163: LGTM: New Storage Gateway permission enhances volume management capabilities

The addition of the "StorageGatewayGatewayStarPermissions" statement is appropriate and aligns with the policy's purpose. This new permission allows the storagegateway:ListVolumes action on all resources, which enhances the policy's capability to manage Storage Gateway volumes without resource-specific limitations.

This change complements the existing Storage Gateway permissions in the policy, particularly:

1. "StorageGatewayVolumePermissions" (which allows describing cached and stored iSCSI volumes on specific gateways)
2. "StorageGatewayPermissions" (which allows listing gateways)
3. "StorageGatewayGatewayPermissions" (which allows describing gateway information and listing local disks)

The use of a wildcard resource ("*") is consistent with other list operations in this policy and is appropriate for this type of action.

[coderabbitai]

💡 Codebase verification

Action Required: Update Documentation for New Wisdom Message Template Permissions

The new permissions for managing message templates in Amazon Connect Wisdom have been added to the "AllowWisdomForConnectEnabledTaggedResources" statement. However, these changes are not reflected in the project documentation.

• Documentation Update Needed: Add details about the new Wisdom message template management capabilities, including creating, updating, deleting, and managing templates and their metadata.

Ensuring the documentation is up-to-date will help users understand and utilize the expanded functionalities effectively.

🔗 Analysis chain

LGTM: Expanded Wisdom capabilities for message template management

The "AllowWisdomForConnectEnabledTaggedResources" statement has been significantly enhanced with new permissions for managing message templates in Amazon Connect Wisdom. These additions allow for:

1. Creating, updating, and deleting message templates
2. Managing message template metadata and versions
3. Activating and deactivating templates
4. Creating and deleting template attachments
5. Rendering message templates

These changes suggest a new or expanded feature for message template management in Connect Wisdom. The permissions are properly scoped to tagged resources, maintaining security best practices.

To ensure these new capabilities are properly documented:

If the script doesn't find any relevant documentation updates, consider adding information about these new Wisdom message template features to the project documentation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the README or documentation has been updated to reflect these new Wisdom capabilities

# Search for mentions of new Wisdom message template features in README and docs
grep -R -i "wisdom.*message.*template" README.md docs/

Length of output: 299

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json (3)

59-61: LGTM. Consider updating documentation.

This new permission block for deleting RDS cluster automated backups complements the previous change, providing a comprehensive approach to managing both instance and cluster automated backups.

Consider updating any relevant documentation or README files to reflect these new capabilities for managing RDS automated backups.

---

63-70: LGTM. Minor formatting suggestion.

The retention of the RDS modify permissions is appropriate, ensuring that existing workflows requiring DB instance modifications remain functional. This reorganization of the policy effectively separates modify and delete permissions, improving clarity.

For consistency with other blocks in this policy, consider removing the square brackets around the single action and resource:

 "Action": [
-  "rds:ModifyDBInstance"
+  "rds:ModifyDBInstance"
 ],
 "Resource": [
-  "arn:aws:rds:*:*:db:*"
+  "arn:aws:rds:*:*:db:*"
 ]

---

Line range hint 41-70: Summary: Improved RDS automated backup management

These changes enhance the policy's granularity and specificity for RDS-related permissions:

1. Introduced specific permissions for deleting RDS instance automated backups.
2. Added new permissions for managing RDS cluster automated backups.
3. Retained existing permissions for modifying RDS instances.

These updates align with the principle of least privilege, providing more precise control over RDS backup operations. They should improve the overall management of RDS automated backups while maintaining existing capabilities.

Consider reviewing your backup and retention strategies to ensure they align with these new, more granular permissions. This might be an opportunity to implement more sophisticated backup management workflows, leveraging the distinct permissions for instances and clusters.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 51a5d10 and e081a0f.

⛔ Files ignored due to path filters (2)

• lib/generated/aws-managed-policies/cdk-iam-floyd.ts is excluded by !**/generated/**
• lib/generated/aws-managed-policies/iam-floyd.ts is excluded by !**/generated/**

📒 Files selected for processing (53)

• docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSBackupFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json (2 hunks)
• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json (1 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json (1 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSNSFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/QAppsServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)

💤 Files not reviewed due to no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

🚧 Files skipped from review as they are similar to previous changes (47)

• docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSBackupFullAccess.json
• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWS_ConfigRole.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSNSFullAccess.json
• docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/QAppsServiceRolePolicy.json
• docs/source/_static/managed-policies/ReadOnlyAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json

🔇 Additional comments (9)

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4)

80-87: LGTM: Enhanced Customer Profiles capabilities

The new permissions added to the "AllowCustomerProfilesForConnectDomain" statement expand the capabilities for managing customer profiles and segments. These additions include:

• Listing integrations and segment definitions
• Managing profile attribute values and segment estimates
• Batch operations for profiles and calculated attributes
• Retrieving segment membership

These changes align with the expanded profile management capabilities mentioned in the AI summary.

---

96-97: LGTM: Additional read permission for Customer Profiles

The addition of the "profile:ListObjectTypeAttributes" permission enhances the read capabilities for Customer Profile objects. This allows listing attributes of object types, which complements the existing permissions to list profile objects and get profile object types.

---

149-163: LGTM: Expanded Wisdom capabilities for message template management

The "AllowWisdomForConnectEnabledTaggedResources" statement has been significantly enhanced with new permissions for managing message templates in Amazon Connect Wisdom. These additions allow for:

1. Creating, updating, and deleting message templates
2. Managing message template metadata and versions
3. Activating and deactivating templates
4. Creating and deleting template attachments
5. Rendering message templates

These changes align with the expanded message template handling capabilities mentioned in the AI summary. The permissions are properly scoped to tagged resources, maintaining security best practices.

As mentioned in a previous review, please ensure that the project documentation is updated to reflect these new Wisdom message template features.

---

195-208: LGTM: New segmentation capabilities for Customer Profiles

A new statement "AllowCustomerProfilesSegmentationForConnectDomain" has been added to introduce segmentation capabilities for Customer Profiles. This statement includes permissions for:

• Creating, retrieving, and deleting segment definitions
• Creating and retrieving segment snapshots

These additions enhance the ability to manage customer segments within the Amazon Connect domain, aligning with the expanded segmentation capabilities mentioned in the AI summary. The permissions are properly scoped to the Connect domain resources.

docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (5)

87-88: New account permissions enhance multi-region support capabilities.

The addition of account:getRegionOptStatus and account:listRegions permissions allows the AWS Support Service Role to retrieve information about region opt-in status and list available regions. This enhancement will likely improve troubleshooting and support capabilities for multi-region deployments.

---

264-264: New Auto Scaling permission improves traffic analysis capabilities.

The addition of autoscaling:describeTrafficSources permission enables the AWS Support Service Role to retrieve information about traffic sources for Auto Scaling groups. This will enhance the ability to diagnose issues related to load balancing and traffic distribution in Auto Scaling setups.

---

324-345: Extensive new Bedrock permissions expand AI support capabilities.

A significant set of new permissions related to Amazon Bedrock has been added to the policy. These permissions cover various aspects of the Bedrock service, including:

1. Managing agents and agent versions
2. Handling custom models and model customization jobs
3. Working with data sources and ingestion jobs
4. Accessing knowledge bases and feature groups

This expansion of permissions will enable AWS Support to provide comprehensive assistance for customers using Amazon Bedrock for generative AI applications. It demonstrates AWS's commitment to supporting advanced AI services.

---

547-558: Broad expansion of permissions across multiple AWS services.

This update includes new permissions for several AWS services, significantly expanding the AWS Support Service Role's capabilities:

1. CodeConnections: New permissions for managing connections, hosts, and repository links.
2. Deadline: Added permissions for listing various Deadline resources and jobs.
3. EC2: New permissions for describing snapshot tier status and getting subnet CIDR reservations.
4. EKS: Added permissions for working with pod identity associations.
5. Elastic Load Balancing: New permissions for describing trust stores and associations.
6. OSIS: Added permissions for managing pipelines and blueprints.
7. WorkSpaces: New permissions for describing application and workspace associations.
8. X-Ray: Expanded permissions for advanced tracing and analysis capabilities.

These additions will enable AWS Support to provide more comprehensive assistance across a wider range of AWS services, improving their ability to troubleshoot and resolve customer issues in these areas.

Also applies to: 786-802, 1018-1018, 1064-1064, 1143-1144, 1210-1212, 2295-2300, 3355-3356, 3368-3374

---

Line range hint 1-3374: Comprehensive policy update significantly enhances AWS Support capabilities.

This update to the AWSSupportServiceRolePolicy represents a substantial expansion of AWS Support's capabilities across multiple services. The new permissions enable support for:

1. Advanced multi-region deployments
2. Enhanced Auto Scaling and traffic analysis
3. Comprehensive support for Amazon Bedrock and AI services
4. Improved capabilities across various services including CodeConnections, Deadline, EC2, EKS, Elastic Load Balancing, OSIS, WorkSpaces, and X-Ray

These changes will allow AWS Support to provide more effective and comprehensive assistance to customers, particularly in areas of emerging technologies and complex multi-service deployments. The policy update aligns well with AWS's commitment to continually improving its support offerings and adapting to new service introductions and enhancements.

[coderabbitai]

💡 Codebase verification

Action Required: Update or Remove Deprecated RDS Permissions

The old permission rds:ModifyDBInstance is still present in multiple policy files. Please review and update or remove this permission as necessary to ensure consistency and security across all policies.

• AWSElasticBeanstalkRoleRDS.json
• AWSBackupServiceRolePolicyForBackup.json
• NeptuneConsoleFullAccess.json
• NeptuneFullAccess.json
• AmazonDocDBFullAccess.json
• AmazonDocDBConsoleFullAccess.json
• AdministratorAccess-AWSElasticBeanstalk.json

🔗 Analysis chain

LGTM. Verify the impact of this permission change.

The change from modifying DB instances to deleting automated backups is appropriate and aligns well with the new Sid name. This update provides more specific and targeted permissions for managing RDS automated backups.

To ensure this change doesn't negatively impact existing workflows, please run the following verification:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any existing scripts or CloudFormation templates that might be using the old permission
rg "rds:ModifyDBInstance" --type yaml --type json

Length of output: 763

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e081a0f and f319f71.

⛔ Files ignored due to path filters (2)

• lib/generated/aws-managed-policies/cdk-iam-floyd.ts is excluded by !**/generated/**
• lib/generated/aws-managed-policies/iam-floyd.ts is excluded by !**/generated/**

📒 Files selected for processing (53)

• docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSBackupFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json (2 hunks)
• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json (1 hunks)
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json (13 hunks)
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json (11 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json (1 hunks)
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json (1 hunks)
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (14 hunks)
• docs/source/_static/managed-policies/AWS_ConfigRole.json (14 hunks)
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json (1 hunks)
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4 hunks)
• docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json (1 hunks)
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json (8 hunks)
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json (0 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSNSFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json (1 hunks)
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json (2 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json (1 hunks)
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json (1 hunks)
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json (2 hunks)
• docs/source/_static/managed-policies/PowerUserAccess.json (1 hunks)
• docs/source/_static/managed-policies/QAppsServiceRolePolicy.json (1 hunks)
• docs/source/_static/managed-policies/ReadOnlyAccess.json (18 hunks)
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json (2 hunks)
• docs/source/_static/managed-policies/index.json (1 hunks)

💤 Files with no reviewable changes (3)

• docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json

🚧 Files skipped from review as they are similar to previous changes (47)

• docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSBackupFullAccess.json
• docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json
• docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
• docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json
• docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json
• docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json
• docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json
• docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json
• docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
• docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json
• docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json
• docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json
• docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json
• docs/source/_static/managed-policies/AWS_ConfigRole.json
• docs/source/_static/managed-policies/AmazonBedrockReadOnly.json
• docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
• docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json
• docs/source/_static/managed-policies/AmazonECS_FullAccess.json
• docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json
• docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json
• docs/source/_static/managed-policies/AmazonSNSFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json
• docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json
• docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json
• docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json
• docs/source/_static/managed-policies/IVSReadOnlyAccess.json
• docs/source/_static/managed-policies/PowerUserAccess.json
• docs/source/_static/managed-policies/QAppsServiceRolePolicy.json
• docs/source/_static/managed-policies/ReadOnlyAccess.json
• docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json
• docs/source/_static/managed-policies/index.json

🔇 Additional comments (10)

docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json (2)

5-16: LGTM: Enhanced SNS read-only permissions

The modifications to the SNSReadOnlyAccess statement are appropriate and align with the policy's purpose. The new permissions added (lines 10-16) provide more comprehensive read-only access to various SNS features and attributes, including:

• Phone number opt-out status
• Endpoint attributes
• Data protection policy
• Platform application attributes
• SMS attributes
• SMS sandbox account status
• Subscription attributes

These additions enhance the policy's functionality without compromising its read-only nature.

---

20-35: LGTM: Added SMS and voice read-only access via SNS

The new SMSAccessViaSNS statement (lines 20-35) is a valuable addition to the AmazonSNSReadOnlyAccess policy. It extends the policy's scope to include read-only actions for SMS and voice services, which are often used in conjunction with SNS. The permitted actions allow users to:

1. Describe verified destination numbers
2. View account attributes
3. Check spend limits
4. List phone numbers
5. See opted-out numbers

A crucial security measure is implemented through the Condition block (lines 31-35), which ensures these actions can only be invoked via sns.amazonaws.com. This restriction aligns with the principle of least privilege and helps maintain the integrity of the read-only access.

docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json (4)

80-87: LGTM: Enhanced Customer Profiles capabilities

The new permissions added to the "AllowCustomerProfilesForConnectDomain" section expand the capabilities for managing customer profiles and segments. These additions include:

• Listing integrations and segment definitions
• Managing profile attribute values
• Creating and retrieving segment estimates
• Batch operations on profiles and calculated attributes
• Retrieving segment membership

These changes align with the expanded profile management capabilities mentioned in the AI summary and should provide more comprehensive interaction with profile data.

---

96-97: LGTM: Added permission to list object type attributes

The addition of the "profile:ListObjectTypeAttributes" permission enhances the read capabilities for Customer Profile objects. This new permission allows listing attributes of object types, which complements the existing read permissions in this section. This change provides more granular access to profile object type information.

---

149-163: LGTM: Expanded Wisdom message template management

The "AllowWisdomForConnectEnabledTaggedResources" section has been significantly enhanced with new permissions for managing message templates in Amazon Connect Wisdom. These additions allow for:

1. Creating, updating, and deleting message templates
2. Managing message template metadata and versions
3. Activating and deactivating templates
4. Creating and deleting template attachments
5. Rendering message templates

These changes align with the AI summary and provide comprehensive capabilities for message template management in Connect Wisdom.

---

195-208: LGTM: New Customer Profiles segmentation capabilities

A new section "AllowCustomerProfilesSegmentationForConnectDomain" has been added to the policy. This section introduces permissions for managing customer profile segmentation, including:

• Creating, retrieving, and deleting segment definitions
• Creating and retrieving segment snapshots

These new permissions enhance the Amazon Connect service-linked role's capabilities for customer segmentation, allowing for more targeted and effective customer interactions.

docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json (4)

786-802: New permissions added for deadline service

The policy has been expanded to include several new permissions for the deadline service, which is part of the AWS Thinkbox Deadline render management system:

• listAvailableMeteredProducts
• listBudgets
• listFarmMembers, listFarms
• listFleetMembers, listFleets
• listJobMembers, listJobs
• listLicenseEndpoints
• listMeteredProducts
• listMonitors
• listQueueEnvironments
• listQueueFleetAssociations
• listQueueMembers, listQueues
• listStorageProfiles
• listWorkers

These additions significantly enhance the support role's ability to query and inspect various aspects of render farm management, including budgets, farms, fleets, jobs, queues, and workers. This expansion indicates improved support capabilities for media and entertainment workloads using AWS Thinkbox Deadline.

While these permissions can be valuable for troubleshooting and support scenarios in render farm environments, it's important to ensure they align with the intended scope of the support role and the principle of least privilege.

To confirm the necessity and usage of these new deadline permissions, please run the following script:

#!/bin/bash
# Description: Check for any existing uses of the new deadline permissions in AWS documentation or knowledge base

echo "Checking for deadline permissions usage:"
rg -i "deadline:list" --type md

echo "If any results are found, they may indicate existing use cases for these permissions in support scenarios for render farm management."

---

547-558: New permissions added for codeconnections service

The policy has been expanded to include several new permissions for the codeconnections service:

• get operations: Connection, Host, RepositoryLink, RepositorySyncStatus, ResourceSyncStatus, SyncBlockerSummary, SyncConfiguration
• list operations: Connections, Hosts, RepositoryLinks, RepositorySyncDefinitions, SyncConfigurations

These additions significantly enhance the support role's ability to manage and query various aspects of code connections, including repositories, hosts, and sync configurations. This expansion suggests improved support capabilities for services like CodeCommit or similar version control and CI/CD related services.

While these permissions can be valuable for troubleshooting and support scenarios, it's important to ensure they align with the intended scope of the support role.

To confirm the necessity and usage of these new codeconnections permissions, please run the following script:

#!/bin/bash
# Description: Check for any existing uses of the new codeconnections permissions in AWS documentation or knowledge base

echo "Checking for codeconnections permissions usage:"
rg -i "codeconnections.*get|codeconnections.*list" --type md

echo "If any results are found, they may indicate existing use cases for these permissions in support scenarios."

---

1018-1018: New permissions added for various AWS services

The policy has been expanded to include new permissions across several AWS services:

1. EC2: Added describeSnapshotTierStatus and getSubnetCidrReservations for more detailed EC2 resource information.
2. EKS: Added permissions related to Pod Identity Associations.
3. Elastic Load Balancing: Added describe operations for TrustStores.
4. Free Tier: Added getFreeTierUsage for accessing free tier usage information.
5. Inspector2: Added getConfiguration and getEc2DeepInspectionConfiguration for enhanced security inspection capabilities.
6. OSIS (Open Search Ingestion Service): Added various get and list operations.
7. WorkSpaces: Added describe operations for application and workspace associations.
8. X-Ray: Added multiple get operations for enhanced tracing and debugging capabilities.

These additions significantly expand the support role's ability to gather detailed information and configurations across a wide range of AWS services. This enhanced access can be beneficial for troubleshooting and support scenarios. However, some of these permissions, particularly those related to Inspector2 and X-Ray, may have security implications and should be carefully considered in the context of the principle of least privilege.

To confirm the necessity and usage of these new permissions across various services, please run the following script:

#!/bin/bash
# Description: Check for any existing uses of the new permissions in AWS documentation or knowledge base

services=("ec2" "eks" "elasticloadbalancing" "freetier" "inspector2" "osis" "workspaces" "xray")

for service in "${services[@]}"; do
  echo "Checking for new $service permissions usage:"
  rg -i "$service.*:(describe|get|list)" --type md
  echo "---"
done

echo "If any results are found, they may indicate existing use cases for these permissions in support scenarios."

Also applies to: 1064-1064, 1143-1144, 1210-1212, 1343-1343, 1637-1638, 2295-2300, 3355-3356, 3368-3374

---

Line range hint 1-3374: Summary of policy changes and their impact

This update to the AWSSupportServiceRolePolicy significantly expands the permissions granted to the AWS Support service role across multiple AWS services. Key changes include:

1. Enhanced regional and account-level access
2. Expanded capabilities for autoscaling diagnostics
3. Comprehensive permissions for AI/ML services (Bedrock)
4. Improved access to code connection and repository management
5. New permissions for render farm management (Deadline service)
6. Additional permissions for various services including EC2, EKS, ELB, Inspector2, OSIS, WorkSpaces, and X-Ray

While these additions enhance the support role's ability to troubleshoot and assist with a wider range of AWS services, they also considerably increase the scope of access for this role. It's crucial to ensure that these expanded permissions align with the principle of least privilege and are necessary for the support role's functions.

Recommendations:

1. Review each new permission to confirm its necessity for support operations.
2. Consider implementing more granular policies or condition statements where possible to limit the scope of these permissions.
3. Regularly audit the usage of these permissions to ensure they are being utilized as intended.
4. Keep documentation updated to reflect the expanded capabilities of the support role.

To get an overview of the policy changes and their potential impact, run the following script:

#!/bin/bash
# Description: Summarize the changes in the AWSSupportServiceRolePolicy

echo "Summary of changes in AWSSupportServiceRolePolicy:"
echo "1. Total number of permissions:"
jq '.Statement[0].Action | length' AWSSupportServiceRolePolicy.json

echo "2. New services added (sample of services not typically in support policies):"
jq -r '.Statement[0].Action[]' AWSSupportServiceRolePolicy.json | cut -d: -f1 | sort | uniq | grep -E 'bedrock|codeconnections|deadline|osis'

echo "3. Permissions with potential security implications:"
jq -r '.Statement[0].Action[]' AWSSupportServiceRolePolicy.json | grep -E 'config|inspector|iam'

echo "This summary provides an overview of the policy's scope and highlights areas that may require additional scrutiny."

[coderabbitai]

💡 Codebase verification

Excessive Permissions Detected in AWSSupportServiceRolePolicy.json

The AWSSupportServiceRolePolicy.json currently includes a total of 3,303 permissions, which is significantly higher than typical support role policies. Notably, the policy introduces new services such as:

• bedrock
• codeconnections
• deadline
• osis

Additionally, it grants numerous permissions with potential security implications, including extensive access to config, iam, and inspector services. These permissions may exceed the necessary scope for a support role and could pose security risks.

Recommended Actions:

• Review and Restrict Permissions: Evaluate each permission to ensure it aligns with the principle of least privilege. Remove any unnecessary or overly broad permissions.
• Assess New Services: Confirm that the addition of bedrock, codeconnections, deadline, and osis services is essential for the support role's functionality.
• Conduct Security Audit: Perform a thorough security assessment to identify and mitigate potential risks associated with the granted permissions.

🔗 Analysis chain

New permissions added for account, autoscaling, and bedrock services

The policy has been expanded to include new permissions for several services:

1. Account service: getRegionOptStatus and listRegions have been added, allowing the support role to query region-specific information.
2. Autoscaling service: describeTrafficSources has been added, providing more detailed information about traffic sources for autoscaling groups.
3. Bedrock service: A comprehensive set of permissions has been added, covering various aspects of machine learning operations, including agent management, model customization, and job handling.

These additions enhance the support role's capabilities, particularly in regional operations, autoscaling diagnostics, and AI/ML services support. However, it's important to ensure that these expanded permissions align with the principle of least privilege and are necessary for the support role's functions.

To confirm the necessity of these new permissions, especially the extensive bedrock permissions, please run the following script:

Also applies to: 264-264, 324-345

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any existing uses of the new permissions in AWS Support documentation or knowledge base

# Check for account and autoscaling permissions
echo "Checking for account and autoscaling permissions usage:"
rg -i "getRegionOptStatus|listRegions|describeTrafficSources" --type md

# Check for bedrock permissions
echo "Checking for bedrock permissions usage:"
rg -i "bedrock.*get|bedrock.*list" --type md

echo "If any results are found, they may indicate existing use cases for these permissions in support scenarios."

Length of output: 1291

---

Script:

#!/bin/bash
# Description: Locate the AWSSupportServiceRolePolicy.json file within the repository

echo "Searching for AWSSupportServiceRolePolicy.json in the repository:"
fd 'AWSSupportServiceRolePolicy\.json$' .

Length of output: 256

---

Script:

#!/bin/bash
# Description: Analyze the AWSSupportServiceRolePolicy.json for permission usage and potential security implications

POLICY_FILE="./docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json"

if [ ! -f "$POLICY_FILE" ]; then
  echo "Error: $POLICY_FILE does not exist."
  exit 1
fi

echo "Analyzing permissions in $POLICY_FILE:"

# Total number of permissions
TOTAL_PERMISSIONS=$(jq '.Statement[0].Action | length' "$POLICY_FILE" 2>/dev/null)
if [ $? -ne 0 ]; then
  echo "Failed to parse $POLICY_FILE with jq."
else
  echo "1. Total number of permissions: $TOTAL_PERMISSIONS"
fi

# New services added (sample of services not typically in support policies)
NEW_SERVICES=$(jq -r '.Statement[0].Action[]' "$POLICY_FILE" | cut -d: -f1 | sort | uniq | grep -E 'bedrock|codeconnections|deadline|osis' 2>/dev/null)
if [ $? -ne 0 ]; then
  echo "Failed to extract new services from $POLICY_FILE."
else
  echo "2. New services added (sample of services not typically in support policies):"
  echo "$NEW_SERVICES"
fi

# Permissions with potential security implications
SECURITY_PERMISSIONS=$(jq -r '.Statement[0].Action[]' "$POLICY_FILE" | grep -E 'config|inspector|iam' 2>/dev/null)
if [ $? -ne 0 ]; then
  echo "Failed to extract security-related permissions from $POLICY_FILE."
else
  echo "3. Permissions with potential security implications:"
  echo "$SECURITY_PERMISSIONS"
fi

echo "This summary provides an overview of the policy's scope and highlights areas that may require additional scrutiny."

Length of output: 1738

---

Script:

#!/bin/bash
# Description: Comprehensive analysis of AWSSupportServiceRolePolicy.json for permission usage and potential security implications

POLICY_FILE="./docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json"

if [ ! -f "$POLICY_FILE" ]; then
  echo "Error: $POLICY_FILE does not exist."
  exit 1
fi

echo "Analyzing permissions in $POLICY_FILE:"

# Total number of permissions across all statements
TOTAL_PERMISSIONS=$(jq '[.Statement[].Action[]] | length' "$POLICY_FILE" 2>/dev/null)
if [ $? -ne 0 ]; then
  echo "Failed to parse $POLICY_FILE with jq."
else
  echo "1. Total number of permissions: $TOTAL_PERMISSIONS"
fi

# New services added (sample of services not typically in support policies)
NEW_SERVICES=$(jq -r '[.Statement[].Action[] | split(":")[0]] | unique | .[]' "$POLICY_FILE" | grep -E 'bedrock|codeconnections|deadline|osis' 2>/dev/null)
if [ -z "$NEW_SERVICES" ]; then
  echo "2. No new services added that are atypical for support policies."
else
  echo "2. New services added (sample of services not typically in support policies):"
  echo "$NEW_SERVICES"
fi

# Permissions with potential security implications
SECURITY_PERMISSIONS=$(jq -r '[.Statement[].Action[]] | unique | .[]' "$POLICY_FILE" | grep -E 'config|inspector|iam' 2>/dev/null)
if [ -z "$SECURITY_PERMISSIONS" ]; then
  echo "3. No permissions with potential security implications found."
else
  echo "3. Permissions with potential security implications:"
  echo "$SECURITY_PERMISSIONS"
fi

echo "This summary provides an overview of the policy's scope and highlights areas that may require additional scrutiny."

Length of output: 18683