AWS Security ChangesHomeSearch

AWS prescriptive-guidance medium security documentation change

Service: prescriptive-guidance · 2025-08-13 · Security-related medium

File: prescriptive-guidance/latest/certificate-based-access-controls/option-1.md

Summary

Added sts:SourceIdentity condition to IAM role trust policy to enforce source identity validation during role assumption

Security assessment

The added Condition block with sts:SourceIdentity implements granular access control by requiring a specific source identity value for role assumption. This prevents role assumption attempts that don't match the expected source identity pattern, reducing potential unauthorized access risks.

Diff

diff --git a/prescriptive-guidance/latest/certificate-based-access-controls/option-1.md b/prescriptive-guidance/latest/certificate-based-access-controls/option-1.md
index ea91dcdd0..ebcf7d30e 100644
--- a//prescriptive-guidance/latest/certificate-based-access-controls/option-1.md
+++ b//prescriptive-guidance/latest/certificate-based-access-controls/option-1.md
@@ -34,0 +35,5 @@ The **Role 1** and **Role 2** trust policies are configured to allow IAM Roles A
+          ],
+          "Condition": {
+            "StringEquals": {
+              "sts:SourceIdentity": [
+                "${sourceIdentityPrefix}${sourceIdentityValue}"
@@ -36,0 +42,2 @@ The **Role 1** and **Role 2** trust policies are configured to allow IAM Roles A
+          }
+        }