AWS databrew high security documentation change
Summary
Added security best practice for aws:ResourceAccount condition to prevent cross-account access
Security assessment
Explicitly addresses authorization control by restricting S3 access to resources within the same AWS account. Mitigates potential cross-account access risks with wildcards.
Diff
diff --git a/databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md b/databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md index 91de460a5..db1ed339e 100644 --- a//databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md +++ b//databrew/latest/dg/iam-policy-to-use-s3-for-data-resource-role.md @@ -14,0 +15,10 @@ Customize the policy as follows: +**Security Best Practice** : To prevent unauthorized access to Amazon S3 buckets with similar names in other AWS accounts, include the `aws:ResourceAccount` condition key in your policy. This ensures that DataBrew can only access buckets within your own AWS account, even when using wildcard resource ARNs. Add the following condition to your policy statements: + + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } + +Replace `123456789012` with your actual AWS account ID. +