AWS Security ChangesHomeSearch

AWS tk-dotnet-refactoring documentation change

Service: tk-dotnet-refactoring · 2025-08-10 · Documentation low

File: tk-dotnet-refactoring/latest/userguide/ad-setup.md

Summary

Updated secret configuration examples: Fixed username/password placeholder syntax, added concrete ARN examples in resource policies, and improved JSON formatting

Security assessment

The changes improve security documentation clarity by providing correct secret configuration examples and explicit resource ARN formats. While not fixing a specific vulnerability, they help prevent misconfiguration risks by showing proper security-sensitive value formatting and policy structure.

Diff

diff --git a/tk-dotnet-refactoring/latest/userguide/ad-setup.md b/tk-dotnet-refactoring/latest/userguide/ad-setup.md
index a7ffae2da..4ee915a1a 100644
--- a//tk-dotnet-refactoring/latest/userguide/ad-setup.md
+++ b//tk-dotnet-refactoring/latest/userguide/ad-setup.md
@@ -49 +49 @@ Create a secret to pass the username and password to your application. Create th
-  * `Username` – Note that the domain in the `Username` value must be uppercase: ``<user>@<AD_DOMAIN>``
+  * `Username` – The domain in the `Username` value must be uppercase: ``user`@`AD_DOMAIN``
@@ -59,2 +59,2 @@ You can also use the AWS Secrets Manager in the AWS Management Console to create
-    Key: Username, value: <user>@<AD_DOMAIN>, 
-    Key: Password, value: <password>
+    Key: Username, value: user@AD_DOMAIN, 
+    Key: Password, value: password
@@ -66,5 +66,2 @@ You can use the JSON format option in the secret as:
-    
-    "Username": "<user@AD_DOMAIN>",
-    
-    "Password": "<password>"
-    
+        "Username": "user@AD_DOMAIN",
+        "Password": "password"
@@ -78 +75 @@ If you use AWS CLI, use the `--secret-string` parameter as follows:
-    ‘{"Username":"<user@AD_DOMAIN.COM>","Password":"<password>"}’
+    ‘{"Username":"user@AD_DOMAIN.COM","Password":"password"}’
@@ -88 +85,5 @@ In the AWS Secrets Manager in the AWS Management Console, open the secret that y
-Add the policy below to the secret. The policy contains the following variables: 
+Add the policy below to the secret. The policy contains the following ARNs: 
+
+  * The ARN of the [Amazon ECS task role ](./roles-and-policies.html#ecs-task-role) that you created with the CloudFormation template. 
+
+  * The ARN of the secret that you just created. 
@@ -90 +90,0 @@ Add the policy below to the secret. The policy contains the following variables:
-  * `task_role_ARN` – the ARN of the [Amazon ECS task role ](./roles-and-policies.html#ecs-task-role) that you created with the CloudFormation template. 
@@ -92 +91,0 @@ Add the policy below to the secret. The policy contains the following variables:
-  * `secret_ARN` – The ARN of the secret that you just created. 
@@ -94,0 +94 @@ Add the policy below to the secret. The policy contains the following variables:
+JSON
@@ -97 +97,2 @@ Add the policy below to the secret. The policy contains the following variables:
-The policy that you add to the secret: 
+****
+    
@@ -102,2 +103,2 @@ The policy that you add to the secret:
-      "Statement" : [ {
-        "Sid" : "EcsTask",
+      "Statement" : [ 
+        {
@@ -106 +107 @@ The policy that you add to the secret:
-          "AWS" : "<task_role_ARN>"
+                "AWS": "arn:aws:iam::123456789012:role/my-ecs-task-role"
@@ -109,2 +110 @@ The policy that you add to the secret:
-        "Resource" : "<secret_ARN>"
-      } ]
+            "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-XyZ9Qw"
@@ -111,0 +112,3 @@ The policy that you add to the secret:
+      ]
+    }
+