AWS Security ChangesHomeSearch

AWS step-functions medium security documentation change

Service: step-functions · 2025-10-28 · Security-related medium

File: step-functions/latest/dg/tutorial-access-cross-acct-resources.md

Summary

Added concrete ARN examples in IAM policies and trust relationships

Security assessment

Specific ARN patterns (e.g., 123456789012 account ID) demonstrate secure role assumption configuration. The sts:ExternalId condition binding to a specific state machine ARN prevents confused deputy issues, directly addressing access control security.

Diff

diff --git a/step-functions/latest/dg/tutorial-access-cross-acct-resources.md b/step-functions/latest/dg/tutorial-access-cross-acct-resources.md
index b3d894231..44ff08b1a 100644
--- a//step-functions/latest/dg/tutorial-access-cross-acct-resources.md
+++ b//step-functions/latest/dg/tutorial-access-cross-acct-resources.md
@@ -108,0 +109,3 @@ After you create the trust relationship, a user from the source account can use
+****
+    
+    
@@ -116 +119 @@ After you create the trust relationship, a user from the source account can use
-            "AWS": "arn:aws:iam::account-id:role/ExecutionRole"  // The source account's state machine execution role ARN
+            "AWS": "arn:aws:iam::123456789012:role/ExecutionRole"
@@ -118 +121 @@ After you create the trust relationship, a user from the source account can use
-          "Condition": {  // Control which account and state machine can assume the target IAM role
+          "Condition": {  
@@ -120 +123 @@ After you create the trust relationship, a user from the source account can use
-              "sts:ExternalId": "arn:aws:states:region:account-id:stateMachine:testCrossAccount"   //// ARN of the state machine that will assume the role.
+              "sts:ExternalId": "arn:aws:states:us-east-1:123456789012:stateMachine:testCrossAccount"
@@ -141,0 +146,3 @@ Permissions in the IAM policies determine whether a specific request is allowed
+****
+    
+    
@@ -148 +155 @@ Permissions in the IAM policies determine whether a specific request is allowed
-          "Resource": "arn:aws:lambda:us-east-2:111122223333:function:Echo"  // The cross-account AWS resource being accessed
+          "Resource": "arn:aws:lambda:us-east-2:111122223333:function:Echo"
@@ -173,0 +182,3 @@ Step Functions doesn’t automatically generate the [AssumeRole](https://docs.aw
+****
+    
+    
@@ -180 +191 @@ Step Functions doesn’t automatically generate the [AssumeRole](https://docs.aw
-          "Resource": "arn:aws:iam::111122223333:role/LambdaRole"  // The target role to be assumed
+          "Resource": "arn:aws:iam::111122223333:role/LambdaRole"