AWS IAM medium security documentation change
Summary
Added documentation about wildcard usage in ARNs and automatic wildcard completion for incomplete ARNs
Security assessment
Explains security-critical behavior of policy evaluation regarding wildcards, helping prevent accidental over-permissioning. Reiterates security implications from reference_identifiers.md.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_grammar.md b/IAM/latest/UserGuide/reference_policies_grammar.md index e339fe82e..62e8799ce 100644 --- a//IAM/latest/UserGuide/reference_policies_grammar.md +++ b//IAM/latest/UserGuide/reference_policies_grammar.md @@ -240 +240,5 @@ Note that you can use * only to specify "everyone/anonymous." You cannot use it -In most cases, consists of an [Amazon Resource Name](./reference_identifiers.html#identifiers-arns) (ARN). +In most cases, consists of an [Amazon Resource Name](./reference_identifiers.html#identifiers-arns) (ARN). You can use wildcards (* and ?) in the resource portion of the ARN. For more information about using wildcards in ARNs, see [Using wildcards in paths](./reference-arns.html#arns-paths-wildcards). + +###### Note + +When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts.