AWS datasync high security documentation change
Summary
Enhanced example IAM policies with aws:ResourceAccount conditions for S3 access
Security assessment
Adds critical account ownership validation to prevent cross-account privilege escalation risks
Diff
diff --git a/datasync/latest/userguide/using-identity-based-policies.md b/datasync/latest/userguide/using-identity-based-policies.md index 4e40409c6..36309b14b 100644 --- a//datasync/latest/userguide/using-identity-based-policies.md +++ b//datasync/latest/userguide/using-identity-based-policies.md @@ -93,0 +94,4 @@ The following example policy grants DataSync the minimum permissions to read and +###### Note + +The value for `aws:ResourceAccount` should be the account ID that owns the Amazon S3 bucket specified in the policy. + @@ -105,0 +110,5 @@ The following example policy grants DataSync the minimum permissions to read and + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } @@ -120,0 +130,5 @@ The following example policy grants DataSync the minimum permissions to read and + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + }