AWS Security ChangesHomeSearch

AWS transfer high security documentation change

Service: transfer · 2025-10-16 · Security-related high

File: transfer/latest/userguide/confused-deputy.md

Summary

Added detailed IAM policy examples with account-specific conditions and ARN patterns to prevent confused deputy attacks

Security assessment

The changes add explicit security controls using aws:SourceAccount and aws:SourceArn conditions to restrict role assumption. These are security measures to prevent confused deputy attacks by limiting cross-service impersonation. The examples demonstrate proper use of security best practices for AWS Transfer service roles.

Diff

diff --git a/transfer/latest/userguide/confused-deputy.md b/transfer/latest/userguide/confused-deputy.md
index 0e4098e36..90b2ff023 100644
--- a//transfer/latest/userguide/confused-deputy.md
+++ b//transfer/latest/userguide/confused-deputy.md
@@ -44,3 +43,0 @@ The following example policy allows any user of any server in the account to ass
-JSON
-    
-
@@ -75,0 +73,27 @@ The following example policy allows any user of a specific server to assume the
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "",
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "transfer.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole",
+          "Condition": {
+            "StringEquals": {
+              "aws:SourceAccount": "123456789012"
+            },
+            "ArnEquals": {
+              "aws:SourceArn": "arn:aws:transfer:us-east-1:123456789012:user/server-id/*"
+            }
+          }
+        }
+      ]
+    }
+    
+
@@ -77,0 +102,24 @@ The following example policy allows a specific user of a specific server to assu
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "transfer.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole",
+                "Condition": {
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:transfer:us-east-1:123456789012:user/server-id/user-name"
+                    }
+                }
+            }
+        ]
+    }
+    
+
@@ -81,0 +130,3 @@ The following example policy allows any workflow in the account to assume the ro
+****
+    
+    
@@ -95 +146 @@ The following example policy allows any workflow in the account to assume the ro
-                        "aws:SourceAccount": "account-id"
+                        "aws:SourceAccount": "111122223333"
@@ -98 +149 @@ The following example policy allows any workflow in the account to assume the ro
-                        "aws:SourceArn": "arn:aws:transfer:region:account-id:workflow/*"
+                        "aws:SourceArn": "arn:aws:transfer:us-west-2:111122223333:workflow/*"
@@ -106,0 +159,3 @@ The following example policy allows a specific workflow to assume the role.
+****
+    
+    
@@ -120 +175 @@ The following example policy allows a specific workflow to assume the role.
-                        "aws:SourceArn": "arn:aws:transfer:region:account-id:workflow/workflow-id"
+                        "aws:SourceArn": "arn:aws:transfer:us-west-2:111122223333:workflow/workflow-id"
@@ -131,3 +186,0 @@ The following example policy allows any connector in the account to assume the r
-JSON
-    
-
@@ -163,3 +215,0 @@ The following example policy allows a specific connector to assume the role.
-JSON
-    
-
@@ -199,0 +250,3 @@ The following example logging/invocation policy allows any server (and workflow)
+****
+    
+    
@@ -213 +266 @@ The following example logging/invocation policy allows any server (and workflow)
-                        "aws:SourceAccount": "account-id"
+                        "aws:SourceAccount": "111122223333"
@@ -217,2 +270,2 @@ The following example logging/invocation policy allows any server (and workflow)
-                         "arn:aws:transfer:region:account-id:server/*",
-                         "arn:aws:transfer:region:account-id:workflow/*"
+                         "arn:aws:transfer:us-west-2:111122223333:server/*",
+                         "arn:aws:transfer:us-west-2:111122223333:workflow/*"
@@ -227,0 +282,3 @@ The following example logging/invocation policy allows a specific server (and wo
+****
+    
+    
@@ -241 +298 @@ The following example logging/invocation policy allows a specific server (and wo
-                        "aws:SourceAccount": "account-id"
+                        "aws:SourceAccount": "111122223333"
@@ -245,2 +302,2 @@ The following example logging/invocation policy allows a specific server (and wo
-                           "arn:aws:transfer:region:account-id:server/server-id",
-                           "arn:aws:transfer:region:account-id:workflow/workflow-id"
+                           "arn:aws:transfer:us-west-2:111122223333:server/server-id",
+                           "arn:aws:transfer:us-west-2:111122223333:workflow/workflow-id"