AWS AWSCloudFormation medium security documentation change
Summary
Added detailed JSON examples for IAM role trust policies for both resource type and Hook extensions with specific condition keys
Security assessment
The added IAM policies demonstrate security best practices by including aws:SourceAccount and aws:SourceArn conditions to restrict assumeRole access. This helps prevent confused deputy problems by limiting which CloudFormation resources can assume the role.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/registry-public.md b/AWSCloudFormation/latest/UserGuide/registry-public.md index 9f8f41b59..5557d7cc5 100644 --- a//AWSCloudFormation/latest/UserGuide/registry-public.md +++ b//AWSCloudFormation/latest/UserGuide/registry-public.md @@ -67,0 +68,29 @@ The following is an example IAM role trust policy for a resource type extension. +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "resources.cloudformation.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:cloudformation:us-west-2:123456789012:type/resource/Organization-Service-Resource" + } + } + } + ] + } + + @@ -71,0 +101,32 @@ The following is an example IAM role trust policy for a Hook extension. +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "resources.cloudformation.amazonaws.com", + "hooks.cloudformation.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:cloudformation:us-west-2:123456789012:type/hook/Organization-Service-Hook" + } + } + } + ] + } + +