Added IAM Users long-term credential and Lambda Role policy

lauradreith · lauradreith · commit 4da9a3dc1aa9 · 2025-02-28T09:51:58.000-08:00
diff --git a/service_control_policies/service_specific_controls/README.md b/service_control_policies/service_specific_controls/README.md
@@ -39,19 +39,19 @@ This policy statement is included in the [network_perimeter_ec2_policy](network_
 
 The `ec2:SourceInstanceARN` condition key is used to target role sessions that are created for applications running on your Amazon EC2 instances. 
 
-### "Sid":" EnforceNetworkPerimeterOnIAMUsers "
+### "Sid":"EnforceNetworkPerimeterOnIAMUsers "
 
 This policy statement is included in the [network_perimeter_iam_users_policy](/service_control_policies/service_specific_controls/network_perimeter_iam_users_policy.json) and limits access to expected networks for IAM users. Expected networks are defined as follows:
-*	Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (<my-corporate-cidr>) in the policy statement.
-*	Your organization’s VPCs that are specified by VPC IDs (<my-vpc>) in the policy statement.
+*	Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (`<my-corporate-cidr>`) in the policy statement.
+*	Your organization’s VPCs that are specified by VPC IDs (`<my-vpc>`) in the policy statement.
 *	Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials.
 
 
 ### "Sid":"EnforceNetworkPerimeterOnLambdaRoles"
 
 This policy statement is included in the [network_perimeter_lambda_policy](/service_control_policies/service_specific_controls/network_perimeter_lambda_policy.json) and limits access to expected networks for service roles used by AWS Lambda. Expected networks are defined as follows:
-*   Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (<my-corporate-cidr>) in the policy statement.
-*   Your organization’s VPCs that are specified by VPC IDs (<my-vpc>) in the policy statement.
+*   Your on-premises data centers and static egress points in AWS such as a NAT gateway that are specified by IP ranges (`<my-corporate-cidr>`) in the policy statement.
+*   Your organization’s VPCs that are specified by VPC IDs (`<my-vpc>`) in the policy statement.
 *   Networks of AWS services that use [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) to access resources on your behalf as denoted by `aws:ViaAWSService` in the policy statement. This access pattern applies when you access data via an AWS service, and that service takes subsequent actions on your behalf by using your IAM credentials.
 *   AWS Lambda networks when the service interacts with [CloudWatch Logs]( https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html), [AWS X-Ray](https://aws.amazon.com/xray/), and [Amazon EFS]( https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html), as denoted by the `NotAction` element with the actions `xray:PutTraceSegments`,`logs:CreateLogGroup`,`logs:CreateLogStream`,`logs:PutLogEvents`, `elasticfilesystem:ClientMount`.
 
