AWS systems-manager high security documentation change
Summary
Corrected policy syntax for tag-based access control from `resource.hasTag("Purpose:Testing")` to explicit tag key/value checks.
Security assessment
Fixes a policy syntax error that could have led to incorrect access control enforcement, addressing a potential security misconfiguration.
Diff
diff --git a/systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md b/systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md index e043e6016..0734a1834 100644 --- a//systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md +++ b//systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md @@ -77 +77 @@ The following example shows how to write a policy if a context property uses a ` - principal has employeeNumber && principal.employeeNumber like "E-1*" && resource.hasTag("Purpose:Testing") + principal has employeeNumber && principal.employeeNumber like "E-1*" && resource.hasTag("Purpose") && resource.getTag("Purpose") == "Testing"