AWS Security ChangesHomeSearch

AWS awscloudtrail high security documentation change

Service: awscloudtrail · 2025-05-31 · Security-related high

File: awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md

Summary

Added guidance for using IAM condition keys to restrict service-linked role creation

Security assessment

Explicitly addresses security by demonstrating how to limit CreateServiceLinkedRole permissions to CloudTrail service principals, preventing potential privilege escalation through unauthorized role creation

Diff

diff --git a/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md b/awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md
index 7b10783c1..480fe3391 100644
--- a//awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md
+++ b//awscloudtrail/latest/userguide/cloudtrail-delegated-administrator-permissions.md
@@ -4,0 +5,2 @@
+Considerations for condition keys
+
@@ -26,0 +29,22 @@ You can add the following statement to the end of an IAM policy to grant these p
+## Considerations when using condition keys with policy statements for delegated administrator permissions
+
+You might consider using IAM global condition keys when adding policy statements to add and remove the delegated administrator in CloudTrail for additional security. When doing so, remember to include both service principal names (SPNs) to the condition. For example: 
+    
+    
+    {
+          "Condition": {
+            "StringLike": {
+              "iam:AWSServiceName": [
+                "context.cloudtrail.amazonaws.com",
+                "cloudtrail.amazonaws.com"
+              ]
+            }
+          },
+          "Action": "iam:CreateServiceLinkedRole",
+          "Resource": "*",
+          "Effect": "Allow"
+    }
+            
+
+For more information, see [Identity and Access Management for AWS CloudTrail](./security-iam.html).
+