AWS step-functions documentation change
Summary
Specified granular Step Functions actions in VPC endpoint policy example
Security assessment
Replaced a wildcard action (*Execution) with specific actions (e.g., states:ListExecutions), demonstrating least privilege principles. This improves security documentation but does not address a known vulnerability.
Diff
diff --git a/step-functions/latest/dg/vpc-endpoints.md b/step-functions/latest/dg/vpc-endpoints.md index f3299006a..b7e933e5b 100644 --- a//step-functions/latest/dg/vpc-endpoints.md +++ b//step-functions/latest/dg/vpc-endpoints.md @@ -72 +72,3 @@ The following example shows an Amazon VPC endpoint policy that allows one user t - "Action": "*Execution", + "Action": [ + "states:ListExecutions", "states:StartExecution", "states:StopExecution", "states:DescribeExecution" + ], @@ -82 +84 @@ The following example shows an Amazon VPC endpoint policy that allows one user t - "AWS": "arn:aws:iam::account-id:user/MyUser" + "AWS": "arn:aws:iam::123456789012:user/MyUser"