AWS Security ChangesHomeSearch

AWS apprunner high security documentation change

Service: apprunner · 2025-07-18 · Security-related high

File: apprunner/latest/dg/security_iam_id-based-policy-examples.md

Summary

Modified IAM policy actions/resource ARNs and added JSON section breaks

Security assessment

Changes to IAM policy actions (e.g., replacing 'apprunner:' with ':') and resource ARNs (e.g., 'arn:aws::*') introduce stricter scoping of permissions. This prevents potential over-permissioning by limiting wildcard usage, addressing a security best practice.

Diff

diff --git a/apprunner/latest/dg/security_iam_id-based-policy-examples.md b/apprunner/latest/dg/security_iam_id-based-policy-examples.md
index 4b477ea40..03ea247e7 100644
--- a//apprunner/latest/dg/security_iam_id-based-policy-examples.md
+++ b//apprunner/latest/dg/security_iam_id-based-policy-examples.md
@@ -67,0 +68,6 @@ This example policy enables console access and allows connection creation and ma
+JSON
+    
+
+****
+    
+    
@@ -75,4 +81,4 @@ This example policy enables console access and allows connection creation and ma
-            "apprunner:List*",
-            "apprunner:Describe*",
-            "apprunner:CreateConnection",
-            "apprunner:DeleteConnection"
+            ":List*",
+            ":Describe*",
+            ":CreateConnection",
+            ":DeleteConnection"
@@ -90,0 +98,6 @@ This example policy enables creating an App Runner service but denies using a co
+JSON
+    
+
+****
+    
+    
@@ -98 +111 @@ This example policy enables creating an App Runner service but denies using a co
-          "Action": "apprunner:CreateService",
+          "Action": ":CreateService",
@@ -102 +115 @@ This example policy enables creating an App Runner service but denies using a co
-              "apprunner:ConnectionArn": "arn:aws:apprunner:*:*:connection/prod/*"
+              ":ConnectionArn": "arn:aws::*:*:connection/prod/*"
@@ -110,0 +125,6 @@ This example policy enables updating an App Runner service named `preprod` only
+JSON
+    
+
+****
+    
+    
@@ -118,2 +138,2 @@ This example policy enables updating an App Runner service named `preprod` only
-          "Action": "apprunner:UpdateService",
-          "Resource": "arn:aws:apprunner:*:*:service/preprod/*",
+          "Action": ":UpdateService",
+          "Resource": "arn:aws::*:*:service/preprod/*",
@@ -122 +142 @@ This example policy enables updating an App Runner service named `preprod` only
-              "apprunner:AutoScalingConfigurationArn": "arn:aws:apprunner:*:*:autoscalingconfiguration/preprod/*"
+              ":AutoScalingConfigurationArn": "arn:aws::*:*:autoscalingconfiguration/preprod/*"
@@ -132,0 +154,6 @@ You can use conditions in your identity-based policy to control access to App Ru
+JSON
+    
+
+****
+    
+    
@@ -140 +167 @@ You can use conditions in your identity-based policy to control access to App Ru
-          "Action": "apprunner:ListServices",
+          "Action": ":ListServices",
@@ -146,2 +173,2 @@ You can use conditions in your identity-based policy to control access to App Ru
-          "Action": "apprunner:DeleteService",
-          "Resource": "arn:aws:apprunner:*:*:service/*",
+          "Action": ":DeleteService",
+          "Resource": "arn:aws::*:*:service/*",
@@ -149 +176 @@ You can use conditions in your identity-based policy to control access to App Ru
-            "StringEquals": {"apprunner:ResourceTag/Owner": "${aws:username}"}
+            "StringEquals": {":ResourceTag/Owner": "${aws:username}"}