AWS opensearch-service medium security documentation change
Summary
Removed JSON example policy demonstrating confused deputy prevention with SourceArn/SourceAccount conditions
Security assessment
The removed example specifically addressed cross-service confused deputy prevention - a security-critical concept. Removing this documentation could reduce awareness of important security controls, though there's no evidence of a specific vulnerability being addressed.
Diff
diff --git a/opensearch-service/latest/developerguide/cross-service-confused-deputy-prevention.md b/opensearch-service/latest/developerguide/cross-service-confused-deputy-prevention.md index bd03d4f3e..3e3d610e0 100644 --- a//opensearch-service/latest/developerguide/cross-service-confused-deputy-prevention.md +++ b//opensearch-service/latest/developerguide/cross-service-confused-deputy-prevention.md @@ -17,28 +16,0 @@ The following example shows how you can use the `aws:SourceArn` and `aws:SourceA -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement":{ - "Sid":"ConfusedDeputyPreventionExamplePolicy", - "Effect":"Allow", - "Principal":{ - "Service":"es.amazonaws.com" - }, - "Action":"sts:AssumeRole", - "Condition":{ - "StringEquals":{ - "aws:SourceAccount":"" - }, - "ArnLike":{ - "aws:SourceArn":"arn:aws:es:us-east-1::domain/my-domain" - } - } - } - } - -