AWS Security ChangesHomeSearch

AWS IAM high security documentation change

Service: IAM · 2025-06-07 · Security-related high

File: IAM/latest/UserGuide/reference_policies_condition-keys.md

Summary

Added notes in multiple sections warning about service-to-service calls redacting network context and advising to exclude AWS service principals from Deny statements using aws:PrincipalIsAWSService condition

Security assessment

The change addresses a potential security misconfiguration where Deny policies using network condition keys could unintentionally block AWS service principals. This provides explicit guidance to prevent service disruptions while maintaining security controls.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md
index a78017a15..847b0ad7a 100644
--- a//IAM/latest/UserGuide/reference_policies_condition-keys.md
+++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md
@@ -1148,0 +1149,4 @@ If the request comes from a host that uses an Amazon VPC endpoint, then the `aws
+###### Note
+
+When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`.
+
@@ -1228,0 +1233,4 @@ The `aws:VpcSourceIp` condition key should always be used in conjunction with ei
+###### Note
+
+When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`.
+
@@ -2028,0 +2037,19 @@ Use this key to check whether the request was sent using TLS. The request contex
+###### Note
+
+When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. For example:
+    
+    
+    {
+      "Effect": "Deny",
+      "Action": "s3:*",
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false",
+          "aws:PrincipalIsAWSService": "false"
+        }
+      }
+    }
+
+This policy denies access to Amazon S3 operations when HTTPS is not used (`aws:SecureTransport` is false), but only for non-AWS service principals. This ensures your conditional restrictions apply to all principals except AWS service principals.
+