AWS Security ChangesHomeSearch

AWS databrew high security documentation change

Service: databrew · 2025-10-25 · Security-related high

File: databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md

Summary

Added security best practice for aws:ResourceAccount condition to prevent cross-account access

Security assessment

Explicitly addresses authorization control by restricting S3 access to resources within the same AWS account. Mitigates potential cross-account access risks with wildcards.

Diff

diff --git a/databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md b/databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md
index 91de460a5..db1ed339e 100644
--- a//databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md
+++ b//databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md
@@ -14,0 +15,10 @@ Customize the policy as follows:
+**Security Best Practice** : To prevent unauthorized access to Amazon S3 buckets with similar names in other AWS accounts, include the `aws:ResourceAccount` condition key in your policy. This ensures that DataBrew can only access buckets within your own AWS account, even when using wildcard resource ARNs. Add the following condition to your policy statements: 
+    
+        "Condition": {
+    "StringEquals": {
+    "aws:ResourceAccount": "123456789012"
+    }
+    }
+
+Replace `123456789012` with your actual AWS account ID. 
+