AWS firehose high security documentation change
Summary
Removed STS ExternalId condition from IAM policy example
Security assessment
Removal of the ExternalId condition weakens cross-account role assumption security by not enforcing protection against confused deputy attacks. This could lead to insecure IAM configurations if followed.
Diff
diff --git a/firehose/latest/dev/controlling-access.md b/firehose/latest/dev/controlling-access.md index 5fb27b79e..4bc222b26 100644 --- a//firehose/latest/dev/controlling-access.md +++ b//firehose/latest/dev/controlling-access.md @@ -130,5 +129,0 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose - "Condition": { - "StringEquals": { - "sts:ExternalId": "account-id" - } - }