AWS eventbridge medium security documentation change
Summary
Modified cross-account policy example with specific account ID and restructured condition operators (ForAllValues:StringEquals)
Security assessment
The change introduces ForAllValues:StringEquals operator which provides more precise control over allowed event patterns, reducing potential over-permissioning. This helps prevent privilege escalation through event pattern manipulation.
Diff
diff --git a/eventbridge/latest/userguide/eb-event-bus-example-policy-cross-account-custom-bus-source.md b/eventbridge/latest/userguide/eb-event-bus-example-policy-cross-account-custom-bus-source.md index 89cfbab2b..18f0ffbb0 100644 --- a//eventbridge/latest/userguide/eb-event-bus-example-policy-cross-account-custom-bus-source.md +++ b//eventbridge/latest/userguide/eb-event-bus-example-policy-cross-account-custom-bus-source.md @@ -26 +26 @@ JSON - "AWS": "arn:aws:iam::111112222333:root" + "AWS": "arn:aws:iam::123456789012:root" @@ -30,2 +30 @@ JSON - "StringEquals": { - "events:detail-type": "newOrderCreated", + "ForAllValues:StringEquals": { @@ -32,0 +32,3 @@ JSON + }, + "StringEquals": { + "events:detail-type": "newOrderCreated"