AWS securityhub medium security documentation change
Summary
Corrected IAM terminology (Principle to Principal) and added policy evaluation limitations note
Security assessment
Fixes critical IAM terminology and adds explicit documentation about security control limitations regarding policy conditions with wildcards/variables, directly addressing potential misconfigurations that could lead to unauthorized access.
Diff
diff --git a/securityhub/latest/userguide/sns-controls.md b/securityhub/latest/userguide/sns-controls.md index dcf135a98..a454684d0 100644 --- a//securityhub/latest/userguide/sns-controls.md +++ b//securityhub/latest/userguide/sns-controls.md @@ -124 +124,5 @@ This control checks if the Amazon SNS topic access policy allows public access. -You use an SNS access policy with a particular topic to restrict who can work with that topic (for example, who can publish messages to it or who can subscribe to it). SNS policies can grant access to other AWS accounts, or to users within your own AWS account. Providing a wildcard (*) in the `Principle` field of the topic policy and a lack of conditions to limit the topic policy can result in data exfiltration, denial of service, or undesired injection of messages into your service by an attacker. +You use an Amazon SNS access policy with a particular topic to restrict who can work with that topic (for example, who can publish messages to it or who can subscribe to it). SNS policies can grant access to other AWS accounts, or to users within your own AWS account. Providing a wildcard (*) in the `Principal` field of the topic policy and a lack of conditions to limit the topic policy can result in data exfiltration, denial of service, or undesired injection of messages into your service by an attacker. + +###### Note + +This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the Amazon SNS access policy for a topic must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_.