AWS systems-manager high security documentation change
Summary
Added IAM condition requiring service principal validation
Security assessment
Adds security control to prevent confused deputy issues by enforcing iam:PassedToService condition
Diff
diff --git a/systems-manager/latest/userguide/monitoring-sns-notifications.md b/systems-manager/latest/userguide/monitoring-sns-notifications.md index 0752be0cc..ec6f0f451 100644 --- a//systems-manager/latest/userguide/monitoring-sns-notifications.md +++ b//systems-manager/latest/userguide/monitoring-sns-notifications.md @@ -261 +261,6 @@ For entities without administrator permissions, an administrator must grant the - "Resource": "arn:aws:iam::account-id:role/sns-role-name" + "Resource": "arn:aws:iam::account-id:role/sns-role-name", + "Condition": { + "StringEquals": { + "iam:PassedToService": "sns.amazonaws.com" + } + }