AWS config medium security documentation change
Summary
Clarified policy evaluation criteria to require fixed values without variables
Security assessment
Addresses potential security risks from overly permissive policies by restricting variable usage, preventing accidental public access through policy variables
Diff
diff --git a/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md b/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md index f4b78422e..961f0fd91 100644 --- a//config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md +++ b//config/latest/developerguide/iam-customer-policy-blocked-kms-actions.md @@ -13 +13 @@ Checks if the managed AWS Identity and Access Management (IAM) policies that you -This rule does not evaluate variables or conditions in IAM policies. For more information, see [IAM policy elements: Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables) and [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_. +To be considered non-public, an IAM policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).