AWS Security ChangesHomeSearch

AWS firehose high security documentation change

Service: firehose · 2025-05-10 · Security-related high

File: firehose/latest/dev/controlling-access.md

Summary

Removed STS ExternalId condition from IAM policy example

Security assessment

Removal of the ExternalId condition weakens cross-account role assumption security by not enforcing protection against confused deputy attacks. This could lead to insecure IAM configurations if followed.

Diff

diff --git a/firehose/latest/dev/controlling-access.md b/firehose/latest/dev/controlling-access.md
index 5fb27b79e..4bc222b26 100644
--- a//firehose/latest/dev/controlling-access.md
+++ b//firehose/latest/dev/controlling-access.md
@@ -130,5 +129,0 @@ Amazon Data Firehose uses an IAM role for all the permissions that the Firehose
-    		"Condition": {
-    			"StringEquals": {
-    				"sts:ExternalId": "account-id"
-    			}
-    		}