AWS quicksight high security documentation change
Summary
Added IAM condition requiring iam:PassedToService for QuickSight in PassRole permissions
Security assessment
The added Condition block enforces that roles can only be passed to QuickSight service, preventing privilege escalation through role hijacking. This is a direct security improvement to least privilege implementation.
Diff
diff --git a/quicksight/latest/developerguide/assetbundle-permissions.md b/quicksight/latest/developerguide/assetbundle-permissions.md index d9a3fe0f7..6e44ca6e5 100644 --- a//quicksight/latest/developerguide/assetbundle-permissions.md +++ b//quicksight/latest/developerguide/assetbundle-permissions.md @@ -3 +3 @@ -[Documentation](/index.html)[Amazon QuickSight](/quicksight/index.html)[Developer Guide](welcome.html) +[Documentation](/index.html)[Amazon Quick Sight](/quicksuite/index.html)[Developer Guide](welcome.html) @@ -12,0 +13,6 @@ The following example shows an IAM policy that you can add to an existing IAM ro +JSON + + +**** + + @@ -45,0 +53,6 @@ The following example shows an IAM policy that you can add to an existing IAM ro +JSON + + +**** + + @@ -108 +121,6 @@ The following example shows an IAM policy that you can add to an existing IAM ro - "Resource": "*" + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:PassedToService": "quicksight.amazonaws.com" + } + }