AWS prescriptive-guidance medium security documentation change
Summary
Added sts:SourceIdentity condition to IAM role trust policy to enforce source identity validation during role assumption
Security assessment
The added Condition block with sts:SourceIdentity implements granular access control by requiring a specific source identity value for role assumption. This prevents role assumption attempts that don't match the expected source identity pattern, reducing potential unauthorized access risks.
Diff
diff --git a/prescriptive-guidance/latest/certificate-based-access-controls/option-1.md b/prescriptive-guidance/latest/certificate-based-access-controls/option-1.md index ea91dcdd0..ebcf7d30e 100644 --- a//prescriptive-guidance/latest/certificate-based-access-controls/option-1.md +++ b//prescriptive-guidance/latest/certificate-based-access-controls/option-1.md @@ -34,0 +35,5 @@ The **Role 1** and **Role 2** trust policies are configured to allow IAM Roles A + ], + "Condition": { + "StringEquals": { + "sts:SourceIdentity": [ + "${sourceIdentityPrefix}${sourceIdentityValue}" @@ -36,0 +42,2 @@ The **Role 1** and **Role 2** trust policies are configured to allow IAM Roles A + } + }