AWS IAM medium security documentation change
Summary
Added note explaining AWS automatically completes incomplete ARNs with wildcards in identity-based policies
Security assessment
Clarifies potential over-permissive access risks when using incomplete ARNs, which could lead to unintended resource exposure if misunderstood. Directly addresses security implications of policy syntax.
Diff
diff --git a/IAM/latest/UserGuide/reference_identifiers.md b/IAM/latest/UserGuide/reference_identifiers.md index b95221ec5..1bb3009fd 100644 --- a//IAM/latest/UserGuide/reference_identifiers.md +++ b//IAM/latest/UserGuide/reference_identifiers.md @@ -268,0 +269,4 @@ Don't use a wildcard in the `user/`, `group/`, or `policy/` part of the ARN. For +###### Note + +When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts. +