AWS mediapackage medium security documentation change
Summary
Added explicit warning about wildcard restrictions in resource ARNs and simplified resource policy specificity explanation
Security assessment
The change explicitly prohibits wildcards in resource-based policies and emphasizes explicit ARN requirements. This prevents accidental over-permissioning by enforcing granular resource specification, addressing a common security misconfiguration risk.
Diff
diff --git a/mediapackage/latest/userguide/policies-permissions.md b/mediapackage/latest/userguide/policies-permissions.md index 7dfdf60a5..06a620258 100644 --- a//mediapackage/latest/userguide/policies-permissions.md +++ b//mediapackage/latest/userguide/policies-permissions.md @@ -14,0 +15,4 @@ In its most basic sense, a policy contains the following elements: +###### Important + +Wildcards are not allowed in the resource ARN in [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). The policy must contain the explicit ARN for each resource that it applies to. + @@ -47 +51,3 @@ To illustrate, consider the following `Allow` policy. With this policy in effect -Resource policies are specific to the resources to which they are applied. Applying a policy to a particular origin endpoint that allows anonymous `GetObject` doesn't automatically apply `GetObject` to other endpoints even if the ARN matches. For instance, if you apply a policy to origin endpoint `abcdef01234567890`, it only applies to that endpoint and not to another endpoint with a similar ARN, like `021345abcdef6789`. This means that the policy is not automatically applied to any other resource with a matching ARN, and you must apply the policy explicitly to each resource that requires it. +Resource policies are specific to the resources to which they are applied. You must apply the policy explicitly to each resource that requires it. + +For example, applying a policy to a particular origin endpoint that allows anonymous `GetObject` doesn't automatically apply `GetObject` to other endpoints even if the ARN matches. For instance, if you apply a policy to origin endpoint `abcdef01234567890`, it only applies to that endpoint and not to another endpoint with a similar ARN, like `021345abcdef6789`.