AWS IAM high security documentation change
Summary
Added notes in multiple sections warning about service-to-service calls redacting network context and advising to exclude AWS service principals from Deny statements using aws:PrincipalIsAWSService condition
Security assessment
The change addresses a potential security misconfiguration where Deny policies using network condition keys could unintentionally block AWS service principals. This provides explicit guidance to prevent service disruptions while maintaining security controls.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md index a78017a15..847b0ad7a 100644 --- a//IAM/latest/UserGuide/reference_policies_condition-keys.md +++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md @@ -1148,0 +1149,4 @@ If the request comes from a host that uses an Amazon VPC endpoint, then the `aws +###### Note + +When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. + @@ -1228,0 +1233,4 @@ The `aws:VpcSourceIp` condition key should always be used in conjunction with ei +###### Note + +When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. + @@ -2028,0 +2037,19 @@ Use this key to check whether the request was sent using TLS. The request contex +###### Note + +When AWS services make calls to other AWS services on your behalf (service-to-service calls), certain network-specific authorization context is redacted. If your policy uses this condition key with `Deny` statements, AWS service principals might be unintentionally blocked. To allow AWS services to work properly while maintaining your security requirements, exclude service principals from your `Deny` statements by adding the `aws:PrincipalIsAWSService` condition key with a value of `false`. For example: + + + { + "Effect": "Deny", + "Action": "s3:*", + "Resource": "*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false", + "aws:PrincipalIsAWSService": "false" + } + } + } + +This policy denies access to Amazon S3 operations when HTTPS is not used (`aws:SecureTransport` is false), but only for non-AWS service principals. This ensures your conditional restrictions apply to all principals except AWS service principals. +