AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-07-18 · Documentation low

File: AmazonECS/latest/developerguide/task-iam-roles.md

Summary

Added JSON formatting blocks and modified IAM policy example to include S3 resource permissions while removing trust policy conditions

Security assessment

The change modifies an IAM policy example to demonstrate resource-based permissions (S3:GetObject) but removes trust policy conditions that enforce source validation. While this updates security documentation, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/AmazonECS/latest/developerguide/task-iam-roles.md b/AmazonECS/latest/developerguide/task-iam-roles.md
index 6453a8d2f..d5998f429 100644
--- a//AmazonECS/latest/developerguide/task-iam-roles.md
+++ b//AmazonECS/latest/developerguide/task-iam-roles.md
@@ -51,0 +52,6 @@ When creating your task IAM role, it is recommended that you use the `aws:Source
+JSON
+    
+
+****
+    
+    
@@ -129,0 +137,8 @@ Replace all `user input` with your own values.
+JSON
+
+JSON
+    
+
+****
+    
+    
@@ -186,0 +203,8 @@ AWS CLI
+JSON
+
+JSON
+    
+
+****
+    
+    
@@ -192,3 +216,5 @@ AWS CLI
-             "Principal":{
-                "Service":[
-                   "ecs-tasks.amazonaws.com"
+             "Action":[
+                "s3:GetObject"
+             ],
+             "Resource":[
+                "arn:aws:s3:::my-task-secrets-bucket/*"
@@ -196,10 +221,0 @@ AWS CLI
-             },
-             "Action":"sts:AssumeRole",
-             "Condition":{
-                "ArnLike":{
-                "aws:SourceArn":"arn:aws:ecs:us-west-2:111122223333:*"
-                },
-                "StringEquals":{
-                   "aws:SourceAccount":"111122223333"
-                }
-             }
@@ -246,0 +264,6 @@ Use the following policy for your task IAM role to add the required Amazon ECR p
+JSON
+    
+
+****
+    
+    
@@ -268,0 +293,6 @@ Use the following policy for your task IAM role to add the required SSM permissi
+JSON
+    
+
+****
+    
+