AWS eventbridge medium security documentation change
Summary
Removed an example policy and updated condition operators to use ForAllValues:StringEquals
Security assessment
The removal of an ambiguous example and adoption of ForAllValues operator strengthens policy validation, preventing potential authorization bypass through event pattern manipulation. This addresses possible insecure direct object reference issues.
Diff
diff --git a/eventbridge/latest/userguide/eb-use-conditions.md b/eventbridge/latest/userguide/eb-use-conditions.md index 0332047a7..48ffab7b4 100644 --- a//eventbridge/latest/userguide/eb-use-conditions.md +++ b//eventbridge/latest/userguide/eb-use-conditions.md @@ -5 +5 @@ -EventBridge condition keysEventBridge Pipes specificsExample: Using the creatorAccount conditionExample: Using the eventBusInvocation conditionExample: Limiting access to a specific sourceExample: Defining multiple sources that can be used in an event pattern individuallyExample: Defining a source and a DetailType that can be used in an event patternExample: Ensuring that the source is defined in the event patternExample: Defining a list of allowed sources in an event pattern with multiple sources Example: Limiting PutRule access by detail.service Example: Limiting PutRule access by detail.eventTypeCodeExample: Ensuring that only AWS CloudTrail events for API calls from a certain PrincipalId are allowedExample: Limiting access to targets +EventBridge condition keysEventBridge Pipes specificsExample: Using the creatorAccount conditionExample: Using the eventBusInvocation conditionExample: Limiting access to a specific sourceExample: Defining multiple sources that can be used in an event pattern individuallyExample: Ensuring that the source is defined in the event patternExample: Defining a list of allowed sources in an event pattern with multiple sources Example: Limiting PutRule access by detail.service Example: Limiting PutRule access by detail.eventTypeCodeExample: Ensuring that only AWS CloudTrail events for API calls from a certain PrincipalId are allowedExample: Limiting access to targets @@ -55,2 +54,0 @@ For example policy statements for EventBridge, see [Managing access permissions - * Example: Defining a source and a DetailType that can be used in an event pattern - @@ -178 +176 @@ JSON - "StringEquals": { + "ForAllValues:StringEquals": { @@ -257,2 +255,5 @@ JSON - "StringEquals": { - "events:source": [ "aws.ec2", "aws.ecs" ] + "ForAllValues:StringEquals": { + "events:source": [ + "aws.ec2", + "aws.ecs" + ] @@ -306,72 +306,0 @@ Event pattern | Allowed by the policy -## Example: Defining a source and a `DetailType `that can be used in an event pattern - -The following policy allows events only from the `aws.ec2` source with `DetailType` equal to `EC2 instance state change notification`. - -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowPutRuleIfSourceIsEC2AndDetailTypeIsInstanceStateChangeNotification", - "Effect": "Allow", - "Action": "events:PutRule", - "Resource": "*", - "Condition": { - "StringEquals": { - "events:source": "aws.ec2", - "events:detail-type": "EC2 Instance State-change Notification" - } - } - } - ] - } - - -The following table shows some examples of event patterns that are allowed or denied by this policy. - -Event pattern | Allowed by the policy ----|--- - - - { - "source": [ "aws.ec2" ] - } - -| No - - - { - "source": [ "aws.ecs" ] - } - -| No - - - { - "source": [ "aws.ec2" ], - "detail-type": [ "EC2 Instance State-change Notification" ] - } - -| Yes - - - { - "source": [ "aws.ec2" ], - "detail-type": [ "EC2 Instance Health Failed" ] - } - -| No - - - { - "detail-type": [ "EC2 Instance State-change Notification" ] - } - -| No - @@ -653 +582 @@ JSON - "Resource": "arn:aws:events:us-east-1:123456789012:rule/MyRule", + "Resource": "arn:aws:events:us-east-1:123456789012:rule/rule-name", @@ -655 +584 @@ JSON - "ArnLike": { + "ForAnyValue:ArnLike": {