AWS IAM medium security documentation change
Summary
Updated policy check guidance to require characters preceding policy variables/wildcards instead of following them
Security assessment
The change addresses overly permissive policies by requiring 6 characters before variables/wildcards rather than after. This reduces attack surface by preventing overly broad patterns like `${aws:username}*` which could allow privilege escalation. The updates enforce more restrictive patterns aligned with least privilege principles.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md b/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md index 774b73aea..528a5ac33 100644 --- a//IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md +++ b//IAM/latest/UserGuide/access-analyzer-reference-policy-checks.md @@ -2814 +2814 @@ In the AWS Management Console, the finding for this check includes the following - Variable usage too permissive: Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable followed by 6 consecutive characters. + Variable usage too permissive: Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable preceded by 6 consecutive characters. @@ -2825 +2825 @@ In programmatic calls to the AWS CLI or AWS API, the finding for this check incl - "findingDetails": "Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable followed by 6 consecutive characters." + "findingDetails": "Overly permissive use of policy variable for the {{key}} condition key. Use the policy variable preceded by 6 consecutive characters." @@ -2837 +2837 @@ There are three possible finding messages for this error. - * For the first error message, modify your policy variable usage to be more specific. Add at least 6 consecutive characters after the policy variable to reduce the scope of permissions. For example, instead of using `${aws:username}*`, use `${aws:username}folder/*` or `${aws:username}-resource-*`. This ensures that the policy variable doesn't grant overly broad access. + * For the first error message, modify your policy variable usage to be more specific. Add at least 6 consecutive characters before the policy variable to reduce the scope of permissions. For example, instead of using `${aws:username}`, use `prefix-${aws:username}` or `myapp-${aws:username}`. This ensures that the policy variable doesn't grant overly broad access. @@ -2841 +2841 @@ There are three possible finding messages for this error. - * For the third error message, modify your `aws:userID` policy variable usage to be more restrictive. Place the policy variable on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:${aws:userid}` or `${aws:userid}` instead of `${aws:userid}:*`. + * For the third error message, modify your `aws:userID` policy variable usage to be more restrictive. Place the policy variable on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:${aws:userid}` or `${aws:userid}:*` instead of `${aws:userid}`. @@ -2870 +2870 @@ In the AWS Management Console, the finding for this check includes the following - Wildcard usage too permissive: Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard followed by 6 consecutive characters. + Wildcard usage too permissive: Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard preceded by 6 consecutive characters. @@ -2881 +2881 @@ In programmatic calls to the AWS CLI or AWS API, the finding for this check incl - "findingDetails": "Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard followed by 6 consecutive characters." + "findingDetails": "Overly permissive use of wildcard for the {{key}} condition key. Use the wildcard preceded by 6 consecutive characters." @@ -2893 +2893 @@ There are three possible finding messages for this error. - * For the first error message, make your wildcard usage more specific by adding at least 6 consecutive characters after the wildcard. For example, instead of using `*`, use `*-suffix` or `prefix-*-suffix`. This reduces the scope of the condition and follows the principle of least privilege. + * For the first error message, make your wildcard usage more specific by adding at least 6 consecutive characters before the wildcard. For example, instead of using `*`, use `prefix-*` or `prefix-*-suffix`. This reduces the scope of the condition and follows the principle of least privilege. @@ -2897 +2897 @@ There are three possible finding messages for this error. - * For the third error message, modify your `aws:userID` wildcard usage to be more restrictive. Place the wildcard on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:*` or `*` instead of `*:*`. + * For the third error message, modify your `aws:userID` wildcard usage to be more restrictive. Place the wildcard on the right side of a colon (after the account ID) or use it as the only character on the left side of a colon. For example, use `AIDACKCEVSQ6C2EXAMPLE:*` or `*:*` instead of `*`.