AWS datasync high security documentation change
Summary
Added IAM policy conditions with aws:ResourceAccount checks in cross-account transfer tutorial
Security assessment
Implements account-specific resource validation to prevent potential misconfiguration vulnerabilities
Diff
diff --git a/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md b/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md index 779fe7bf0..33a636132 100644 --- a//datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md +++ b//datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.md @@ -174,0 +175,4 @@ The IAM role that you just created needs the permissions that allow DataSync to +###### Note + +The value for `aws:ResourceAccount` should be the account ID that owns the Amazon S3 bucket specified in the policy. + @@ -185,0 +190,5 @@ The IAM role that you just created needs the permissions that allow DataSync to + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } @@ -191,0 +201,3 @@ The IAM role that you just created needs the permissions that allow DataSync to + "s3:GetObjectTagging", + "s3:GetObjectVersion", + "s3:GetObjectVersionTagging", @@ -194 +205,0 @@ The IAM role that you just created needs the permissions that allow DataSync to - "s3:GetObjectTagging", @@ -198,0 +210,5 @@ The IAM role that you just created needs the permissions that allow DataSync to + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + }