AWS rolesanywhere documentation change
Summary
Removed multiple JSON policy examples demonstrating trust policy conditions based on x509 attributes, source ARNs, and source identity configurations
Security assessment
The removed content consisted of example trust policies illustrating security best practices (like principal tag conditions and source ARN restrictions). While these examples relate to security configurations, their removal does not indicate a direct security vulnerability fix. This appears to be documentation cleanup rather than addressing a specific security issue.
Diff
diff --git a/rolesanywhere/latest/userguide/trust-model.md b/rolesanywhere/latest/userguide/trust-model.md index b745a4c70..8844db32b 100644 --- a//rolesanywhere/latest/userguide/trust-model.md +++ b//rolesanywhere/latest/userguide/trust-model.md @@ -121,35 +120,0 @@ The following example shows a trust policy that adds a condition based on the `S -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalTag/x509Subject/CN": "Alice" - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - } - ] - } - - @@ -162,35 +126,0 @@ The following example shows a trust policy that adds a condition based on the `I -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalTag/x509Issuer/CN": "Bob" - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - } - ] - } - - @@ -252,37 +181,0 @@ The following example shows a trust policy that adds a condition based on the `S -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringEquals": { - "aws:PrincipalTag/x509SAN/DNS": "example.com", - "aws:PrincipalTag/x509SAN/URI": "spiffe://example.com/workload/alice", - "aws:PrincipalTag/x509SAN/Name/CN": "Alice" - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - } - ] - } - - @@ -299,32 +191,0 @@ To use the `aws:SourceArn` and `aws:SourceAccount` global condition keys, set th -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession", - "sts:SetSourceIdentity" - ], - "Condition": { - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - } - ] - } - - @@ -333,46 +193,0 @@ To use the `sts:SourceIdentity` condition key, set the source identity prefix an -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:SetSourceIdentity" - ], - "Condition": { - "StringEquals": { - "sts:SourceIdentity": [ - "${sourceIdentityPrefix}${sourceIdentityValue}" - ] - }, - "ArnEquals": { - "aws:SourceArn": [ - "arn:aws:rolesanywhere:us-east-1:account:trust-anchor/TA_ID" - ] - } - } - }, - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:TagSession" - ] - } - ] - } - - -