AWS awscloudtrail high security documentation change
Summary
Updated resource policy example with concrete ARNs and account ID (111111111111 → 123456789012), reformatted JSON
Security assessment
The change enforces specific source account constraints (AWS:SourceAccount: 123456789012) in CloudTrail resource policies, which is a security best practice. This prevents potential cross-account access issues by using concrete account IDs rather than placeholders, reducing misconfiguration risks. High severity as proper account ID configuration is critical for access control.
Diff
diff --git a/awscloudtrail/latest/userguide/lake-cli-manage-eds.md b/awscloudtrail/latest/userguide/lake-cli-manage-eds.md index d0c36cefa..cf721f2ce 100644 --- a//awscloudtrail/latest/userguide/lake-cli-manage-eds.md +++ b//awscloudtrail/latest/userguide/lake-cli-manage-eds.md @@ -272,20 +272,6 @@ JSON - { - "ResourceArn": "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", - "ResourcePolicy": "{ - "Version": "2012-10-17", - "Statement": [{ - "Sid": "EDSPolicy", - "Effect": "Allow", - "Principal": { "Service": "cloudtrail.amazonaws.com" }, - "Resource": "eds-arn", - "Action": "cloudtrail:StartQuery", - "Condition": { - "StringEquals": { - "AWS:SourceArn": "dashboard-arn", - "AWS:SourceAccount": "111111111111" - } - } - } - ] - }" - } + { "Version": "2012-10-17", "Statement": [{ "Sid": "EDSPolicy", "Effect": + "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Resource": + "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/event_data_store_ID", + "Action": "cloudtrail:StartQuery", "Condition": { "StringEquals": { "AWS:SourceArn": + "arn:aws:cloudtrail:us-east-1:123456789012:eventdatastore/EXAMPLE-f852-4e8f-8bd1-bcf6cEXAMPLE", + "AWS:SourceAccount": "123456789012" } } } ] }