AWS macie documentation change
Summary
Updated documentation formatting for wildcard characters and replaced placeholder account IDs with example values (111122223333, 999999999999). Clarified explanations about IAM policy conditions preventing confused deputy scenarios.
Security assessment
Changes primarily involve formatting improvements (backticks around *) and using example account IDs instead of placeholders. The existing security guidance about preventing confused deputy scenarios was maintained but not substantively changed. No new security vulnerabilities or mitigations were introduced.
Diff
diff --git a/macie/latest/user/findings-retrieve-sd-options.md b/macie/latest/user/findings-retrieve-sd-options.md index 695491db2..bd3906232 100644 --- a//macie/latest/user/findings-retrieve-sd-options.md +++ b//macie/latest/user/findings-retrieve-sd-options.md @@ -200 +200 @@ Where `IAMRoleName` is the name of the IAM role for Macie to assume when retriev -In the preceding permissions policy, the `Resource` element in the first statement uses a wildcard character (*). This allows an attached IAM entity to retrieve objects from all the S3 buckets that your organization owns. To allow this access only for specific buckets, replace the wildcard character with the Amazon Resource Name (ARN) of each bucket. For example, to allow access only to objects in a bucket named _amzn-s3-demo-bucket1_ , change the element to: +In the preceding permissions policy, the `Resource` element in the first statement uses a wildcard character (`*`). This allows an attached IAM entity to retrieve objects from all the S3 buckets that your organization owns. To allow this access only for specific buckets, replace the wildcard character with the Amazon Resource Name (ARN) of each bucket. For example, to allow access only to objects in a bucket named _amzn-s3-demo-bucket1_ , change the element to: @@ -227 +227 @@ JSON - "aws:SourceAccount": "accountID" + "aws:SourceAccount": "111122223333" @@ -235 +235 @@ JSON -Where `accountID` is the account ID for your AWS account. Replace this value with your 12-digit account ID. +Where `111122223333` is the account ID for your AWS account. Replace this value with your 12-digit account ID. @@ -243 +243 @@ In the preceding trust policy: - * The `Condition` element defines a condition that uses the [aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context key. This condition determines which account can perform the specified action. In this case, it allows Macie to assume the role only for the specified account (`accountID`). The condition helps prevent Macie from being used as a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) during transactions with AWS STS. + * The `Condition` element defines a condition that uses the [aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context key. This condition determines which account can perform the specified action. In this case, it allows Macie to assume the role only for the specified account. The condition helps prevent Macie from being used as a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) during transactions with AWS STS. @@ -287 +287 @@ JSON -The preceding permissions policy allows an attached IAM entity to retrieve objects from all the S3 buckets for your account. This is because the `Resource` element in the policy uses a wildcard character (*). To allow this access only for specific buckets, replace the wildcard character with the Amazon Resource Name (ARN) of each bucket. For example, to allow access only to objects in a bucket named _amzn-s3-demo-bucket2_ , change the element to: +The preceding permissions policy allows an attached IAM entity to retrieve objects from all the S3 buckets for your account. This is because the `Resource` element in the policy uses a wildcard character (`*`). To allow this access only for specific buckets, replace the wildcard character with the Amazon Resource Name (ARN) of each bucket. For example, to allow access only to objects in a bucket named _amzn-s3-demo-bucket2_ , change the element to: @@ -325 +325 @@ In the preceding policy, replace the placeholder values with the correct values - * `administratorAccountID` is the 12-digit account ID for your Macie administrator's account. + * `111122223333` is the 12-digit account ID for your Macie administrator's account. @@ -371 +371 @@ JSON -In the preceding permissions policy, the `Resource` element uses a wildcard character (*). This allows an attached IAM entity to retrieve objects from all the S3 buckets for your account. To allow this access only for specific buckets, replace the wildcard character with the Amazon Resource Name (ARN) of each bucket. For example, to allow access only to objects in a bucket named _amzn-s3-demo-bucket3_ , change the element to: +In the preceding permissions policy, the `Resource` element uses a wildcard character (`*`). This allows an attached IAM entity to retrieve objects from all the S3 buckets for your account. To allow this access only for specific buckets, replace the wildcard character with the Amazon Resource Name (ARN) of each bucket. For example, to allow access only to objects in a bucket named _amzn-s3-demo-bucket3_ , change the element to: @@ -398 +398 @@ JSON - "aws:SourceAccount": "accountID" + "aws:SourceAccount": "999999999999" @@ -406 +406 @@ JSON -Where `accountID` is the account ID for your AWS account. Replace this value with your 12-digit account ID. +Where `999999999999` is the account ID for your AWS account. Replace this value with your 12-digit account ID. @@ -414 +414 @@ In the preceding trust policy: - * The `Condition` element defines a condition that uses the [aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context key. This condition determines which account can perform the specified action. It allows Macie to assume the role only for the specified account (`accountID`). The condition helps prevent Macie from being used as a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) during transactions with AWS STS. + * The `Condition` element defines a condition that uses the [aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context key. This condition determines which account can perform the specified action. It allows Macie to assume the role only for the specified account. The condition helps prevent Macie from being used as a [confused deputy](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) during transactions with AWS STS.