AWS systems-manager high security documentation change
Summary
Removed a JSON policy example demonstrating confused deputy prevention using aws:SourceArn and aws:SourceAccount conditions.
Security assessment
The deleted example provided critical guidance for mitigating confused deputy attacks, a security risk. Removing it could lead to insecure IAM policies if users are unaware of proper condition key usage.
Diff
diff --git a/systems-manager/latest/userguide/cross-service-confused-deputy-prevention.md b/systems-manager/latest/userguide/cross-service-confused-deputy-prevention.md index e5b5bbec3..ff19a6379 100644 --- a//systems-manager/latest/userguide/cross-service-confused-deputy-prevention.md +++ b//systems-manager/latest/userguide/cross-service-confused-deputy-prevention.md @@ -21,30 +20,0 @@ The following example demonstrates using the `aws:SourceArn` and `aws:SourceAcco -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement":[ - { - "Sid":"", - "Effect":"Allow", - "Principal":{ - "Service":"ssm.amazonaws.com" - }, - "Action":"sts:AssumeRole", - "Condition":{ - "StringEquals":{ - "aws:SourceAccount":"123456789012" - }, - "ArnEquals":{ - "aws:SourceArn":"us-east-1:123456789012:*" - } - } - } - ] - } - -