Yesterday, we received a notification email from AWS that one or more of our policies were still using actions that are going to be deprecated.
Namely, one or more of the aws-portal or purchase-order actions that are being deprecated in lieu of finer-grained actions. When I went to the AWS Health Dashboard to find the affected resource, I was able to find the affected policy, and was able determine that while the current (default) version of the policy did not contain the soon-to-be deprecated actions, older version of the policy that were retained did.
I have since deleted the older versions of the affected policy that contained those actions (while retaining one older version of the policy that does not have those actions). However, in the AWS health dashboard, it still says lists the IAM security notification.
My question then is, will that security notification go away on it's own at some point (it has not gone away yet, even with reloading the dashboard), or does it indicate that despite deleting the older versions of the affected policy that there is still something that needs to be done?
I am at a loss here, as neither version of the policy in question seems to have those actions.
Here's the JSON of the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:",
"payments:",
"payments:",
"tax:",
"tax:",
"consolidatedbilling:",
"consolidatedbilling:",
"invoicing:",
"invoicing:",
"cur:",
"cur:",
"freetier:Get",
"account:GetAlternateContact",
"account:GetChallengeQuestions",
"account:GetContactInformation",
"billing:GetBillingData",
"billing:GetBillingDetails",
"billing:GetBillingNotifications",
"billing:GetBillingPreferences",
"billing:GetContractInformation",
"billing:GetCredits",
"billing:GetIAMAccessPreference",
"billing:GetSellerOfRecord",
"billing:ListBillingViews",
"payments:ListPaymentPreferences",
"ce:DescribeNotificationSubscription",
"ce:DescribeReport",
"ce:GetAnomalies",
"ce:GetAnomalyMonitors",
"ce:GetAnomalySubscriptions",
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostCategories",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetPreferences",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetTags",
"ce:GetUsageForecast",
"ce:ListCostAllocationTags",
"ce:ListSavingsPlansPurchaseRecommendationGeneration",
"consolidatedbilling:GetAccountBillingRole",
"consolidatedbilling:ListLinkedAccounts",
"cur:GetClassicReport",
"cur:GetClassicReportPreferences",
"cur:GetUsageReport",
"cur:ValidateReportDestination",
"freetier:GetFreeTierAlertPreference",
"freetier:GetFreeTierUsage",
"invoicing:GetInvoiceEmailDeliveryPreferences",
"invoicing:GetInvoicePDF",
"invoicing:ListInvoiceSummaries",
"payments:GetPaymentInstrument",
"payments:GetPaymentStatus",
"payments:ListPaymentPreferences",
"tax:GetTaxInheritance",
"tax:GetTaxRegistrationDocument",
"tax:ListTaxRegistrations",
"account:CloseAccount",
"account:DeleteAlternateContact",
"account:PutAlternateContact",
"account:PutChallengeQuestions",
"account:PutContactInformation",
"billing:PutContractInformation",
"billing:UpdateIAMAccessPreference",
"billing:RedeemCredits",
"billing:UpdateBillingPreferences",
"payments:UpdatePaymentPreferences",
"ce:CreateAnomalyMonitor",
"ce:CreateAnomalySubscription",
"ce:CreateNotificationSubscription",
"ce:createReport",
"ce:DeleteAnomalyMonitor",
"ce:DeleteAnomalySubscription",
"ce:DeleteNotificationSubscription",
"ce:DeleteReport",
"ce:ProvideAnomalyFeedback",
"ce:StartSavingsPlansPurchaseRecommendationGeneration",
"ce:UpdateAnomalyMonitor",
"ce:UpdateAnomalySubscription",
"ce:UpdateCostAllocationTagsStatus",
"ce:UpdateNotificationSubscription",
"ce:UpdatePreferences",
"cur:PutClassicReportPreferences",
"freetier:PutFreeTierAlertPreference",
"invoicing:PutInvoiceEmailDeliveryPreferences",
"payments:CreatePaymentInstrument",
"payments:DeletePaymentInstrument",
"payments:MakePayment",
"payments:UpdatePaymentPreferences",
"tax:BatchPutTaxRegistration",
"tax:DeleteTaxRegistration",
"tax:PutTaxInheritance",
"account:GetAccountInformation",
"payments:DeletePaymentInstrument",
"payments:CreatePaymentInstrument",
"payments:MakePayment",
"payments:UpdatePaymentPreferences",
"invoicing:GetInvoicePDF",
"payments:ListPaymentPreferences",
"purchase-orders:GetPurchaseOrder",
"purchase-orders:ListPurchaseOrderInvoices",
"purchase-orders:ListPurchaseOrders",
"purchase-orders:AddPurchaseOrder",
"purchase-orders:DeletePurchaseOrder",
"purchase-orders:UpdatePurchaseOrder",
"purchase-orders:UpdatePurchaseOrderStatus"
],
"Resource": "*"
}
]
}
That's the thing.... I am able to find the policy that it claims is affected, but the actions that are being deprecated do not appear in the JSON of the policy.
Are you able to share the complete policy which is marked as affected? Please remove any confidential data, account id, resource details etc from the policy before sharing.
I added the JSON of the policy in the original question.
The above shared policy is not using any retired actions. There is no point this policy should be marked as affected in the "Affected Policies" tool. Please report it to AWS. Thanks