AWS servicecatalog high security documentation change
Summary
Updated IAM/KMS policies with specific account IDs, KMS permission granularity (ReEncryptFrom/To), and policy version alignment
Security assessment
The change replaces broad 'kms:ReEncrypt' with more secure 'kms:ReEncryptFrom/To' permissions, adds explicit account IDs in ARNs, and enforces modern policy versions (2012-10-17). These updates mitigate confused deputy risks and overprivileged KMS access.
Diff
diff --git a/servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md b/servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md index 2f06158f5..00dee15c5 100644 --- a//servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md +++ b//servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md @@ -12,0 +13,6 @@ The parameter parser Lambda function created by AWS Service Catalog-provided eng +JSON + + +**** + + @@ -23 +29 @@ The parameter parser Lambda function created by AWS Service Catalog-provided eng - "Resource": "arn:aws:lambda:us-east-1:account_id:function:ServiceCatalogTerraformOSParameterParser" + "Resource": "arn:aws:lambda:us-east-1:111122223333:function:ServiceCatalogTerraformOSParameterParser" @@ -31,0 +39,6 @@ For example, you can restrict your engine to only allow requests that originate +JSON + + +**** + + @@ -42 +55 @@ For example, you can restrict your engine to only allow requests that originate - "Resource": "arn:aws:lambda:us-east-1:account_id:function:ServiceCatalogTerraformOSParameterParser", + "Resource": "arn:aws:lambda:us-east-1:111122223333:function:ServiceCatalogTerraformOSParameterParser", @@ -45 +58,4 @@ For example, you can restrict your engine to only allow requests that originate - "aws:SourceAccount": ["000000000000", "111111111111"] + "aws:SourceAccount": [ + "000000000000", + "111111111111" + ] @@ -55,0 +73,6 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal +JSON + + +**** + + @@ -58 +81 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal - "Version": "2008-10-17", + "Version":"2012-10-17", @@ -68 +91 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal - "arn:aws:sqs:us-east-1:account_id:ServiceCatalogTerraformOSProvisionOperationQueue" + "arn:aws:sqs:us-east-1:111122223333:ServiceCatalogTerraformOSProvisionOperationQueue" @@ -80 +103,2 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal - "kms:ReEncrypt", + "kms:ReEncryptFrom", + "kms:ReEncryptTo", @@ -83 +107 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal - "Resource": "arn:aws:kms:us-east-1:account_id:key/key_id" + "Resource": "arn:aws:kms:us-east-1:111122223333:key/key_id" @@ -91,0 +118,6 @@ For example, you can restrict your engine to only allow requests that originate +JSON + + +**** + + @@ -94 +126 @@ For example, you can restrict your engine to only allow requests that originate - "Version": "2008-10-17", + "Version":"2012-10-17", @@ -104 +136 @@ For example, you can restrict your engine to only allow requests that originate - "arn:aws:sqs:us-east-1:account_id:ServiceCatalogTerraformOSProvisionOperationQueue" + "arn:aws:sqs:us-east-1:111122223333:ServiceCatalogTerraformOSProvisionOperationQueue" @@ -108 +140,4 @@ For example, you can restrict your engine to only allow requests that originate - "aws:SourceAccount": ["000000000000", "111111111111"] + "aws:SourceAccount": [ + "000000000000", + "111111111111" + ] @@ -121 +156,2 @@ For example, you can restrict your engine to only allow requests that originate - "kms:ReEncrypt", + "kms:ReEncryptFrom", + "kms:ReEncryptTo", @@ -124 +160 @@ For example, you can restrict your engine to only allow requests that originate - "Resource": "arn:aws:kms:us-east-1:account_id:key/key_id" + "Resource": "arn:aws:kms:us-east-1:111122223333:key/key_id"