AWS wellarchitected high security documentation change
Summary
Modified IoT policy example to use wildcards (*) instead of certificate/thing-specific variables and removed a security condition requiring attached things.
Security assessment
The change replaces specific client/topic ARNs with overly permissive wildcards and removes a condition enforcing device attachment. This weakens the example policy's security posture, potentially encouraging insecure practices that allow broader access than intended.
Diff
diff --git a/wellarchitected/latest/iot-lens/identity-and-access-management.md b/wellarchitected/latest/iot-lens/identity-and-access-management.md index fcf3c30ce..b0e5cfbed 100644 --- a//wellarchitected/latest/iot-lens/identity-and-access-management.md +++ b//wellarchitected/latest/iot-lens/identity-and-access-management.md @@ -215,0 +216,6 @@ By using policy variables, you can create a few IoT policies that can be applied +JSON + + +**** + + @@ -219 +225,2 @@ By using policy variables, you can create a few IoT policies that can be applied - "Statement": [{ + "Statement": [ + { @@ -225,6 +232 @@ By using policy variables, you can create a few IoT policies that can be applied - "arn:aws:iot:us-east-1:123456789012:client/${iot:Certificate.Subject.CommonName}" - ], - "Condition": { - "Bool": { - "iot:Connection.Thing.IsAttached": [ - "true" + "arn:aws:iot:us-east-1:123456789012:client/*" @@ -232,2 +233,0 @@ By using policy variables, you can create a few IoT policies that can be applied - } - } @@ -241 +241 @@ By using policy variables, you can create a few IoT policies that can be applied - "arn:aws:iot:us-east-1:123456789012:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/update" + "arn:aws:iot:us-east-1:123456789012:topic/$aws/things/*/shadow/update" @@ -250,0 +253,6 @@ Although these scenarios apply to a single device communicating with its own set +JSON + + +**** + +