AWS codecommit high security documentation change
Summary
Updated IAM policy conditions to use ArnLike instead of StringLike for codestar-notifications permissions
Security assessment
The policy change restricts codestar-notifications permissions from a broad 'arn:aws:codecommit:*' to a more specific 'arn:aws:iam::*:role/Service*', reducing potential over-permission risks. This directly addresses a security concern by tightening resource access.
Diff
diff --git a/codecommit/latest/userguide/security-iam-awsmanpol.md b/codecommit/latest/userguide/security-iam-awsmanpol.md index 84ac2051c..f3c2eb679 100644 --- a//codecommit/latest/userguide/security-iam-awsmanpol.md +++ b//codecommit/latest/userguide/security-iam-awsmanpol.md @@ -43,0 +44,6 @@ The AWSCodeCommitFullAccess policy contains the following policy statement: +JSON + + +**** + + @@ -154,2 +160,2 @@ The AWSCodeCommitFullAccess policy contains the following policy statement: - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" + "ArnLike": { + "codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*" @@ -245,0 +253,6 @@ The AWSCodeCommitPowerUser policy contains the following policy statement: +JSON + + +**** + + @@ -374,2 +387,2 @@ The AWSCodeCommitPowerUser policy contains the following policy statement: - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" + "ArnLike": { + "codestar-notifications:NotificationsForResource": "arn:aws:iam::*:role/Service*" @@ -456,0 +471,6 @@ The AWSCodeCommitReadOnly policy contains the following policy statement: +JSON + + +**** + + @@ -528,2 +548,2 @@ The AWSCodeCommitReadOnly policy contains the following policy statement: - "StringLike":{ - "codestar-notifications:NotificationsForResource":"arn:aws:codecommit:*" + "ArnLike":{ + "codestar-notifications:NotificationsForResource":"arn:aws:codecommit:us-east-2:111122223333:*"