AWS mediaconvert high security documentation change
Summary
Added IAM policy condition restricting role assumption to MediaConvert service
Security assessment
Added 'iam:PassedToService' condition prevents confused deputy issues by limiting where the role can be used, directly addressing security best practices
Diff
diff --git a/mediaconvert/latest/ug/security_iam_id-based-policy-examples.md b/mediaconvert/latest/ug/security_iam_id-based-policy-examples.md index b04a0e086..bd5866835 100644 --- a//mediaconvert/latest/ug/security_iam_id-based-policy-examples.md +++ b//mediaconvert/latest/ug/security_iam_id-based-policy-examples.md @@ -81 +81,5 @@ The following sample policy grants the IAM user permissions to all AWS Elemental - "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole" + "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole", + "Condition": { + "StringLike": { + "iam:PassedToService": "mediaconvert.amazonaws.com" + } @@ -158 +162,5 @@ The following example policy grants the basic permissions to operate AWS Element - "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole" + "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole", + "Condition": { + "StringLike": { + "iam:PassedToService": "mediaconvert.amazonaws.com" + }