AWS eventbridge medium security documentation change
Summary
Updated IAM policy with account matching condition for Secrets Manager access
Security assessment
Added Condition block enforcing same-account access for secrets, addressing potential cross-account security risks
Diff
diff --git a/eventbridge/latest/userguide/eb-use-identity-based.md b/eventbridge/latest/userguide/eb-use-identity-based.md index 7ab867ce0..4892f785f 100644 --- a//eventbridge/latest/userguide/eb-use-identity-based.md +++ b//eventbridge/latest/userguide/eb-use-identity-based.md @@ -186 +186,6 @@ You can't attach [AmazonEventBridgeApiDestinationsServiceRolePolicy](https://doc - "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*" + "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } @@ -487,0 +493 @@ Change | Description | Date +AmazonEventBridgeApiDestinationsServiceRolePolicy – Updated policy | EventBridge updated policy to restrict the scope of permissions for Secrets Manager operations to the same account. | May 29, 2025