AWS Security ChangesHomeSearch

AWS mediaconvert high security documentation change

Service: mediaconvert · 2025-04-11 · Security-related high

File: mediaconvert/latest/ug/security_iam_id-based-policy-examples.md

Summary

Added IAM policy condition restricting role assumption to MediaConvert service

Security assessment

Added 'iam:PassedToService' condition prevents confused deputy issues by limiting where the role can be used, directly addressing security best practices

Diff

diff --git a/mediaconvert/latest/ug/security_iam_id-based-policy-examples.md b/mediaconvert/latest/ug/security_iam_id-based-policy-examples.md
index b04a0e086..bd5866835 100644
--- a//mediaconvert/latest/ug/security_iam_id-based-policy-examples.md
+++ b//mediaconvert/latest/ug/security_iam_id-based-policy-examples.md
@@ -81 +81,5 @@ The following sample policy grants the IAM user permissions to all AWS Elemental
-          "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole"
+          "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole",
+          "Condition": {
+            "StringLike": {
+                "iam:PassedToService": "mediaconvert.amazonaws.com"
+            }
@@ -158 +162,5 @@ The following example policy grants the basic permissions to operate AWS Element
-          "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole"
+          "Resource": "arn:aws:iam::111122223333:role/MediaConvertRole",
+          "Condition": {
+            "StringLike": {
+                "iam:PassedToService": "mediaconvert.amazonaws.com"
+            }