AWS Security ChangesHomeSearch

AWS mediapackage medium security documentation change

Service: mediapackage · 2025-07-18 · Security-related medium

File: mediapackage/latest/userguide/policies-permissions.md

Summary

Added explicit warning about wildcard restrictions in resource ARNs and simplified resource policy specificity explanation

Security assessment

The change explicitly prohibits wildcards in resource-based policies and emphasizes explicit ARN requirements. This prevents accidental over-permissioning by enforcing granular resource specification, addressing a common security misconfiguration risk.

Diff

diff --git a/mediapackage/latest/userguide/policies-permissions.md b/mediapackage/latest/userguide/policies-permissions.md
index 7dfdf60a5..06a620258 100644
--- a//mediapackage/latest/userguide/policies-permissions.md
+++ b//mediapackage/latest/userguide/policies-permissions.md
@@ -14,0 +15,4 @@ In its most basic sense, a policy contains the following elements:
+###### Important
+
+Wildcards are not allowed in the resource ARN in [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). The policy must contain the explicit ARN for each resource that it applies to.
+
@@ -47 +51,3 @@ To illustrate, consider the following `Allow` policy. With this policy in effect
-Resource policies are specific to the resources to which they are applied. Applying a policy to a particular origin endpoint that allows anonymous `GetObject` doesn't automatically apply `GetObject` to other endpoints even if the ARN matches. For instance, if you apply a policy to origin endpoint `abcdef01234567890`, it only applies to that endpoint and not to another endpoint with a similar ARN, like `021345abcdef6789`. This means that the policy is not automatically applied to any other resource with a matching ARN, and you must apply the policy explicitly to each resource that requires it.
+Resource policies are specific to the resources to which they are applied. You must apply the policy explicitly to each resource that requires it.
+
+For example, applying a policy to a particular origin endpoint that allows anonymous `GetObject` doesn't automatically apply `GetObject` to other endpoints even if the ARN matches. For instance, if you apply a policy to origin endpoint `abcdef01234567890`, it only applies to that endpoint and not to another endpoint with a similar ARN, like `021345abcdef6789`.