AWS apprunner high security documentation change
Summary
Modified IAM policy actions/resource ARNs and added JSON section breaks
Security assessment
Changes to IAM policy actions (e.g., replacing 'apprunner:' with ':') and resource ARNs (e.g., 'arn:aws::*') introduce stricter scoping of permissions. This prevents potential over-permissioning by limiting wildcard usage, addressing a security best practice.
Diff
diff --git a/apprunner/latest/dg/security_iam_id-based-policy-examples.md b/apprunner/latest/dg/security_iam_id-based-policy-examples.md index 4b477ea40..03ea247e7 100644 --- a//apprunner/latest/dg/security_iam_id-based-policy-examples.md +++ b//apprunner/latest/dg/security_iam_id-based-policy-examples.md @@ -67,0 +68,6 @@ This example policy enables console access and allows connection creation and ma +JSON + + +**** + + @@ -75,4 +81,4 @@ This example policy enables console access and allows connection creation and ma - "apprunner:List*", - "apprunner:Describe*", - "apprunner:CreateConnection", - "apprunner:DeleteConnection" + ":List*", + ":Describe*", + ":CreateConnection", + ":DeleteConnection" @@ -90,0 +98,6 @@ This example policy enables creating an App Runner service but denies using a co +JSON + + +**** + + @@ -98 +111 @@ This example policy enables creating an App Runner service but denies using a co - "Action": "apprunner:CreateService", + "Action": ":CreateService", @@ -102 +115 @@ This example policy enables creating an App Runner service but denies using a co - "apprunner:ConnectionArn": "arn:aws:apprunner:*:*:connection/prod/*" + ":ConnectionArn": "arn:aws::*:*:connection/prod/*" @@ -110,0 +125,6 @@ This example policy enables updating an App Runner service named `preprod` only +JSON + + +**** + + @@ -118,2 +138,2 @@ This example policy enables updating an App Runner service named `preprod` only - "Action": "apprunner:UpdateService", - "Resource": "arn:aws:apprunner:*:*:service/preprod/*", + "Action": ":UpdateService", + "Resource": "arn:aws::*:*:service/preprod/*", @@ -122 +142 @@ This example policy enables updating an App Runner service named `preprod` only - "apprunner:AutoScalingConfigurationArn": "arn:aws:apprunner:*:*:autoscalingconfiguration/preprod/*" + ":AutoScalingConfigurationArn": "arn:aws::*:*:autoscalingconfiguration/preprod/*" @@ -132,0 +154,6 @@ You can use conditions in your identity-based policy to control access to App Ru +JSON + + +**** + + @@ -140 +167 @@ You can use conditions in your identity-based policy to control access to App Ru - "Action": "apprunner:ListServices", + "Action": ":ListServices", @@ -146,2 +173,2 @@ You can use conditions in your identity-based policy to control access to App Ru - "Action": "apprunner:DeleteService", - "Resource": "arn:aws:apprunner:*:*:service/*", + "Action": ":DeleteService", + "Resource": "arn:aws::*:*:service/*", @@ -149 +176 @@ You can use conditions in your identity-based policy to control access to App Ru - "StringEquals": {"apprunner:ResourceTag/Owner": "${aws:username}"} + "StringEquals": {":ResourceTag/Owner": "${aws:username}"}