AWS awscloudtrail high security documentation change
Summary
Added guidance for using IAM condition keys to restrict service-linked role creation
Security assessment
Explicitly addresses security by demonstrating how to limit CreateServiceLinkedRole permissions to CloudTrail service principals, preventing potential privilege escalation through unauthorized role creation
Diff
diff --git a/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md b/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md index 7b10783c1..480fe3391 100644 --- a//awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md +++ b//awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md @@ -4,0 +5,2 @@ +Considerations for condition keys + @@ -26,0 +29,22 @@ You can add the following statement to the end of an IAM policy to grant these p +## Considerations when using condition keys with policy statements for delegated administrator permissions + +You might consider using IAM global condition keys when adding policy statements to add and remove the delegated administrator in CloudTrail for additional security. When doing so, remember to include both service principal names (SPNs) to the condition. For example: + + + { + "Condition": { + "StringLike": { + "iam:AWSServiceName": [ + "context.cloudtrail.amazonaws.com", + "cloudtrail.amazonaws.com" + ] + } + }, + "Action": "iam:CreateServiceLinkedRole", + "Resource": "*", + "Effect": "Allow" + } + + +For more information, see [Identity and Access Management for AWS CloudTrail](./security-iam.html). +