AWS opsworks medium security documentation change
Summary
Removed example IAM policy JSON configurations demonstrating confused deputy prevention conditions
Security assessment
Removal of explicit examples for SourceAccount and ArnEquals/SourceArn conditions reduces guidance on implementing cross-service protection. These policies were specifically demonstrating security best practices to prevent confused deputy attacks.
Diff
diff --git a/opsworks/latest/userguide/cross-service-confused-deputy-prevention-stacks.md b/opsworks/latest/userguide/cross-service-confused-deputy-prevention-stacks.md index 8c21c9bba..1abb68c2a 100644 --- a//opsworks/latest/userguide/cross-service-confused-deputy-prevention-stacks.md +++ b//opsworks/latest/userguide/cross-service-confused-deputy-prevention-stacks.md @@ -41,28 +40,0 @@ This section describes how you can help prevent confused deputy exploits in OpsW -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "opsworks.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "123456789012" - }, - "ArnEquals": { - "arn:aws:opsworks:us-east-2:123456789012:stack/EXAMPLEd-5699-40a3-80c3-22c32EXAMPLE/" - } - } - } - ] - } - - @@ -122,32 +93,0 @@ The following example limits access to an array of two OpsWorks Stacks stacks in -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "opsworks.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "123456789012" - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:opsworks:us-east-2:123456789012:stack/unique_ID1", - "arn:aws:opsworks:us-east-2:123456789012:stack/unique_ID2" - ] - } - } - } - ] - } - -