AWS Security ChangesHomeSearch

AWS servicecatalog high security documentation change

Service: servicecatalog · 2025-10-25 · Security-related high

File: servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md

Summary

Updated IAM/KMS policies with specific account IDs, KMS permission granularity (ReEncryptFrom/To), and policy version alignment

Security assessment

The change replaces broad 'kms:ReEncrypt' with more secure 'kms:ReEncryptFrom/To' permissions, adds explicit account IDs in ARNs, and enforces modern policy versions (2012-10-17). These updates mitigate confused deputy risks and overprivileged KMS access.

Diff

diff --git a/servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md b/servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md
index 2f06158f5..00dee15c5 100644
--- a//servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md
+++ b//servicecatalog/latest/adminguide/confused-deputy-TRFM-engine.md
@@ -12,0 +13,6 @@ The parameter parser Lambda function created by AWS Service Catalog-provided eng
+JSON
+    
+
+****
+    
+    
@@ -23 +29 @@ The parameter parser Lambda function created by AWS Service Catalog-provided eng
-              "Resource": "arn:aws:lambda:us-east-1:account_id:function:ServiceCatalogTerraformOSParameterParser"
+                "Resource": "arn:aws:lambda:us-east-1:111122223333:function:ServiceCatalogTerraformOSParameterParser"
@@ -31,0 +39,6 @@ For example, you can restrict your engine to only allow requests that originate
+JSON
+    
+
+****
+    
+    
@@ -42 +55 @@ For example, you can restrict your engine to only allow requests that originate
-              "Resource": "arn:aws:lambda:us-east-1:account_id:function:ServiceCatalogTerraformOSParameterParser",
+                "Resource": "arn:aws:lambda:us-east-1:111122223333:function:ServiceCatalogTerraformOSParameterParser",
@@ -45 +58,4 @@ For example, you can restrict your engine to only allow requests that originate
-                  "aws:SourceAccount": ["000000000000", "111111111111"]
+                        "aws:SourceAccount": [
+                            "000000000000",
+                            "111111111111"
+                        ]
@@ -55,0 +73,6 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal
+JSON
+    
+
+****
+    
+    
@@ -58 +81 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal
-          "Version": "2008-10-17",
+        "Version":"2012-10-17",		 	 	 
@@ -68 +91 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal
-                "arn:aws:sqs:us-east-1:account_id:ServiceCatalogTerraformOSProvisionOperationQueue"
+                    "arn:aws:sqs:us-east-1:111122223333:ServiceCatalogTerraformOSProvisionOperationQueue"
@@ -80 +103,2 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal
-                "kms:ReEncrypt",
+                    "kms:ReEncryptFrom",
+                    "kms:ReEncryptTo",
@@ -83 +107 @@ The provisioning operation intake Amazon SQS queues created by AWS Service Catal
-              "Resource": "arn:aws:kms:us-east-1:account_id:key/key_id"
+                "Resource": "arn:aws:kms:us-east-1:111122223333:key/key_id"
@@ -91,0 +118,6 @@ For example, you can restrict your engine to only allow requests that originate
+JSON
+    
+
+****
+    
+    
@@ -94 +126 @@ For example, you can restrict your engine to only allow requests that originate
-          "Version": "2008-10-17",
+        "Version":"2012-10-17",		 	 	 
@@ -104 +136 @@ For example, you can restrict your engine to only allow requests that originate
-              "arn:aws:sqs:us-east-1:account_id:ServiceCatalogTerraformOSProvisionOperationQueue"
+                    "arn:aws:sqs:us-east-1:111122223333:ServiceCatalogTerraformOSProvisionOperationQueue"
@@ -108 +140,4 @@ For example, you can restrict your engine to only allow requests that originate
-                "aws:SourceAccount": ["000000000000", "111111111111"]
+                        "aws:SourceAccount": [
+                            "000000000000",
+                            "111111111111"
+                        ]
@@ -121 +156,2 @@ For example, you can restrict your engine to only allow requests that originate
-              "kms:ReEncrypt",
+                    "kms:ReEncryptFrom",
+                    "kms:ReEncryptTo",
@@ -124 +160 @@ For example, you can restrict your engine to only allow requests that originate
-            "Resource": "arn:aws:kms:us-east-1:account_id:key/key_id"
+                "Resource": "arn:aws:kms:us-east-1:111122223333:key/key_id"