AWS rolesanywhere medium security documentation change
Summary
Added link to trust policy examples in security recommendation
Security assessment
The change adds a reference to trust policy examples that enforce certificate validation conditions. This directly relates to security best practices for limiting role assumption privileges.
Diff
diff --git a/rolesanywhere/latest/userguide/getting-started.md index f1eb4598f..c9e0f900f 100644 --- a/rolesanywhere/latest/userguide/getting-started.md +++ b/rolesanywhere/latest/userguide/getting-started.md @@ -110 +110 @@ Before you can create an IAM Roles Anywhere profile, you need at least one IAM r -Without a `Condition` statement present in a role trust policy, any valid certificate from the CA used as the trust anchor, or CAs subordinate to that trust anchor may be used to assume a role via IAM roles anywhere. We recommend you use `Condition` statements on both the subject and issuer attributes to ensure that only certificates that you intend to be able to assume a role can do so. +Without a `Condition` statement present in a role trust policy, any valid certificate from the CA used as the trust anchor, or CAs subordinate to that trust anchor may be used to assume a role via IAM roles anywhere. We recommend you use `Condition` statements on both the subject and issuer attributes to ensure that only certificates that you intend to be able to assume a role can do so. For examples, see [Trust policy](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html#trust-policy).