AWS codebuild high security documentation change
Summary
Updated ARN patterns in IAM/KMS policy examples to use wildcards
Security assessment
Replaced specific resource ARNs with wildcard patterns ('arn:aws:iam::*:role/Service*') in KMS and Secrets Manager policies. This could allow access to unintended resources if not properly constrained.
Diff
diff --git a/codebuild/latest/userguide/multiple-access-tokens.md b/codebuild/latest/userguide/multiple-access-tokens.md index 26ca1a9df..a76663075 100644 --- a//codebuild/latest/userguide/multiple-access-tokens.md +++ b//codebuild/latest/userguide/multiple-access-tokens.md @@ -81 +81 @@ JSON - "<secret-arn>" + "arn:aws:iam::*:role/Service*" @@ -104 +104 @@ JSON - "Resource": "<kms-key-arn>", + "Resource": "arn:aws:iam::*:role/Service*", @@ -107 +107 @@ JSON - "kms:EncryptionContext:SecretARN": "<secret-arn>" + "kms:EncryptionContext:SecretARN": "arn:aws:iam::*:role/Service*" @@ -133 +133 @@ JSON - "connection-arn>" + "arn:aws:iam::*:role/Service*"