AWS Security ChangesHomeSearch

AWS dms high security documentation change

Service: dms · 2025-10-13 · Security-related high

File: dms/latest/userguide/cross-service-confused-deputy-prevention.md

Summary

Added multiple JSON policy examples with explicit confused deputy prevention conditions

Security assessment

The changes explicitly add AWS Resource Policy conditions to prevent confused deputy attacks by restricting AssumeRole actions to specific sources

Diff

diff --git a/dms/latest/userguide/cross-service-confused-deputy-prevention.md b/dms/latest/userguide/cross-service-confused-deputy-prevention.md
index 3addf4ba4..119a035a0 100644
--- a//dms/latest/userguide/cross-service-confused-deputy-prevention.md
+++ b//dms/latest/userguide/cross-service-confused-deputy-prevention.md
@@ -33,0 +34,29 @@ The following example shows policies for using the `dms-vpc-role` role with the
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+            "Sid": "AllowDMSAssumeRole",
+            "Effect": "Allow",
+            "Action": "sts:AssumeRole",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "AWS:SourceAccount": "111122223333"
+             },
+             "ArnLike": {
+                 "aws:SourceArn": "arn:aws:dms:*:123456789012:*"
+             }
+          }
+        }
+      ]
+    }
+    
+    
+
@@ -39,0 +69,32 @@ The following example shows a trust policy with confused deputy conditions that
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "AllowDMSAssumeRole",
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "AWS:SourceAccount": "111122223333"
+            },
+            "ArnLike": {
+                "aws:SourceArn": [
+                    "arn:aws:dms:*:123456789012:assessment-run:*",
+                    "arn:aws:dms:*:123456789012:task:*"
+              ]
+            }
+          }
+        }
+      ]
+    }
+    
+    
+
@@ -45,0 +107,32 @@ The following example shows a trust policy with confused deputy conditions that
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "AllowDMSAssumeRole",
+          "Effect": "Allow",
+          "Action": "sts:AssumeRole",
+          "Resource": "*",
+          "Condition": {
+          "StringEquals": {
+              "AWS:SourceAccount": "111122223333"
+            },
+            "ArnLike": {
+            "aws:SourceArn": [
+                "arn:aws:dms:*:123456789012:assessment-run:*",
+                "arn:aws:dms:*:123456789012:task:*"
+                ]
+             }
+          }
+        }
+      ]
+    }
+    
+    
+