AWS datasync high security documentation change
Summary
Added IAM policy conditions requiring aws:ResourceAccount validation for cross-account S3 transfers
Security assessment
Introduces account ID validation to prevent cross-account access vulnerabilities in IAM policies
Diff
diff --git a/datasync/latest/userguide/s3-cross-account-transfer.md b/datasync/latest/userguide/s3-cross-account-transfer.md index f7287203b..fe77cc956 100644 --- a//datasync/latest/userguide/s3-cross-account-transfer.md +++ b//datasync/latest/userguide/s3-cross-account-transfer.md @@ -197,0 +198,4 @@ The IAM role that you just created needs the permissions that allow DataSync to +###### Note + +The value for `aws:ResourceAccount` should be the account ID that owns the Amazon S3 bucket specified in the policy. + @@ -208,0 +213,5 @@ The IAM role that you just created needs the permissions that allow DataSync to + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } @@ -214,0 +224,3 @@ The IAM role that you just created needs the permissions that allow DataSync to + "s3:GetObjectTagging", + "s3:GetObjectVersion", + "s3:GetObjectVersionTagging", @@ -217 +228,0 @@ The IAM role that you just created needs the permissions that allow DataSync to - "s3:GetObjectTagging", @@ -221,0 +233,5 @@ The IAM role that you just created needs the permissions that allow DataSync to + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + }