AWS Security ChangesHomeSearch

AWS workspaces-web high security documentation change

Service: workspaces-web · 2025-10-22 · Security-related high

File: workspaces-web/latest/adminguide/security_iam_service-with-iam-id-based-policies-resources.md

Summary

Removed the requirement for statements to include Resource/NotResource and rephrased resource specification as a best practice.

Security assessment

Omitting the mandatory requirement for Resource/NotResource in IAM policies could lead to overly permissive policies, increasing the risk of unintended resource access. This change introduces a security risk by misrepresenting a critical IAM policy constraint.

Diff

diff --git a/workspaces-web/latest/adminguide/security_iam_service-with-iam-id-based-policies-resources.md b/workspaces-web/latest/adminguide/security_iam_service-with-iam-id-based-policies-resources.md
index 48f8bca3c..ff704798d 100644
--- a//workspaces-web/latest/adminguide/security_iam_service-with-iam-id-based-policies-resources.md
+++ b//workspaces-web/latest/adminguide/security_iam_service-with-iam-id-based-policies-resources.md
@@ -11,3 +11 @@ Administrators can use AWS JSON policies to specify who has access to what. That
-The `Resource` JSON policy element specifies the object or objects to which the action applies. Statements must include either a `Resource` or a `NotResource` element. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). You can do this for actions that support a specific resource type, known as _resource-level permissions_.
-
-For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.
+The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (*) to indicate that the statement applies to all resources.