AWS mediapackage high security documentation change
Summary
Removed CDN authorization header condition from policy example and provided a simplified JSON policy.
Security assessment
The original policy enforced a security condition (`mediapackagev2:RequestHasMatchingCdnAuthHeader: true`) to validate CDN authorization headers. Removing this condition in the example could lead to insecure configurations where unauthorized requests are allowed, weakening access control.
Diff
diff --git a/mediapackage/latest/userguide/cdn-auth-setup.md b/mediapackage/latest/userguide/cdn-auth-setup.md index 078f07fa3..e9911917a 100644 --- a//mediapackage/latest/userguide/cdn-auth-setup.md +++ b//mediapackage/latest/userguide/cdn-auth-setup.md @@ -73 +73 @@ Use the same secret across multiple endpoints in the same Region and on the same - 4. In **Endpoint policy** , select **Attach a custom policy** and add a policy for the endpoint. To use CDN authorization, you must include the boolean `mediapackagev2:RequestHasMatchingCdnAuthHeader : true` + 4. In **Endpoint policy** , select **Attach a custom policy** and add a policy for the endpoint. @@ -76,0 +77,9 @@ Use the same secret across multiple endpoints in the same Region and on the same +JSON + + +**** + + + { + "Version": "2012-10-17", + "Statement": [ @@ -81,5 +90 @@ Use the same secret across multiple endpoints in the same Region and on the same - "Resource": "arn:aws:mediapackagev2:region:account:channelGroup/*/channel/*/originEndpoint/*", - "Condition": { - "Bool": { - "mediapackagev2:RequestHasMatchingCdnAuthHeader": "true" - } + "Resource": "arn:aws:mediapackagev2:us-east-1:111122223333:channelGroup/*/channel/*/originEndpoint/*" @@ -86,0 +92 @@ Use the same secret across multiple endpoints in the same Region and on the same + ]