AWS AWSCloudFormation documentation change
Summary
Added IAM role trust policy example with security best practices for CloudFormation extensions
Security assessment
Demonstrates secure IAM configuration with principal restrictions, source account validation, and ARN constraints. While improving security posture, this is a routine documentation enhancement rather than addressing a specific vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/registry-public.md b/AWSCloudFormation/latest/UserGuide/registry-public.md index 638cb8c34..3f2de50b9 100644 --- a//AWSCloudFormation/latest/UserGuide/registry-public.md +++ b//AWSCloudFormation/latest/UserGuide/registry-public.md @@ -100,0 +101,32 @@ The following is an example IAM role trust policy for a Hook extension. +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "resources.cloudformation.amazonaws.com", + "hooks.cloudformation.amazonaws.com" + ] + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "123456789012" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:cloudformation:us-west-2:123456789012:type/hook/Organization-Service-Hook" + } + } + } + ] + } + +