AWS rolesanywhere documentation change
Summary
Removed trust policy examples using x509 issuer conditions and source ARN restrictions.
Security assessment
While the policies included security controls, their removal does not indicate a direct security fix. Appears to be documentation restructuring rather than vulnerability addressing.
Diff
diff --git a/rolesanywhere/latest/userguide/attribute-mapping-and-trust-policy.md b/rolesanywhere/latest/userguide/attribute-mapping-and-trust-policy.md index 630cd6d79..57603c204 100644 --- a//rolesanywhere/latest/userguide/attribute-mapping-and-trust-policy.md +++ b//rolesanywhere/latest/userguide/attribute-mapping-and-trust-policy.md @@ -13,35 +12,0 @@ The following example shows trust policies that add a condition based on the `Is -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalTag/x509Issuer/CN": "Bob" - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - } - ] - } - - @@ -50,35 +14,0 @@ If a profile is used with an Attribute Mapping field that lacks `specifier: CN` -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringNotEquals": { - "aws:PrincipalTag/x509Issuer/CN": "Bob" - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - } - ] - } - -