AWS res high security documentation change
Summary
Removed region specification from IAM role ARN in cross-account bucket policy example
Security assessment
Fixing the IAM role ARN format (removing invalid region component) prevents potential policy failures that could lead to unintended access denials. Incorrect ARNs could create security risks through misconfigured access controls.
Diff
diff --git a/res/latest/ug/S3-buckets-cross-account-access.md b/res/latest/ug/S3-buckets-cross-account-access.md index a89e1204b..24a59315f 100644 --- a//res/latest/ug/S3-buckets-cross-account-access.md +++ b//res/latest/ug/S3-buckets-cross-account-access.md @@ -69 +69 @@ RES has the ability to mount buckets from other AWS accounts, provided these buc - 3. Paste the following JSON policy (replace ``<ACCOUNT_ID>`` with the actual account ID of Account A, ``<ENVIRONMENT_NAME>`` with the environment name of the RES deployment, and ``<REGION>`` with the AWS region RES is deployed to): + 3. Paste the following JSON policy (replace ``<ACCOUNT_ID>`` with the actual account ID of Account A, and ``<ENVIRONMENT_NAME>`` with the environment name of the RES deployment: @@ -77 +77 @@ RES has the ability to mount buckets from other AWS accounts, provided these buc - "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<ENVIRONMENT_NAME>-custom-credential-broker-lambda-role-<REGION>" + "AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<ENVIRONMENT_NAME>-custom-credential-broker-lambda-role"