AWS AmazonECS high security documentation change
Summary
Modified IAM policy examples with incorrect action prefixes and ARN formats, added JSON markers
Security assessment
Introduced policy syntax errors: Changed 'ecs:DescribeServices' to ':DescribeServices' (missing service prefix) and 'arn:aws:ecs:*:*:service/*' to invalid 'arn:aws::*:*:service/*'. These changes could lead to dangerous policy misconfigurations if followed by users.
Diff
diff --git a/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.md b/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.md index 7af5c629d..fe4db1dc0 100644 --- a//AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.md +++ b//AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.md @@ -396,0 +397,6 @@ You can use conditions in your identity-based policy to control access to Amazon +JSON + + +**** + + @@ -404 +410 @@ You can use conditions in your identity-based policy to control access to Amazon - "Action": "ecs:DescribeServices", + "Action": ":DescribeServices", @@ -410,2 +416,2 @@ You can use conditions in your identity-based policy to control access to Amazon - "Action": "ecs:DescribeServices", - "Resource": "arn:aws:ecs:*:*:service/*", + "Action": ":DescribeServices", + "Resource": "arn:aws::*:*:service/*", @@ -413 +419 @@ You can use conditions in your identity-based policy to control access to Amazon - "StringEquals": {"ecs:ResourceTag/Owner": "${aws:username}"} + "StringEquals": {":ResourceTag/Owner": "${aws:username}"}