AWS IAM documentation change
Summary
Added documentation for new condition keys aws:SourceVpcArn and aws:IsMcpServiceAction. Updated service lists for existing condition keys and fixed URL formatting.
Security assessment
The changes introduce two new IAM condition keys (aws:SourceVpcArn and aws:IsMcpServiceAction) that enable more granular access control. While these are security features allowing VPC-based restrictions and service action verification, there's no evidence they address a specific vulnerability. The URL fixes are routine maintenance.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md index 86b37349d..2c092416f 100644 --- a//IAM/latest/UserGuide/reference_policies_condition-keys.md +++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md @@ -33 +33 @@ Properties of the principal | Properties of a role session | Properties of the n -`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` | `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` | `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` | `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` | `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:ViaAWSService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` +`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` | `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` | `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` | `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` | `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:ViaAWSService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction` @@ -515 +515 @@ JSON -Use this key to compare the principal's issuing identity provider (IdP) with the IdP that you specify in the policy. This means that an IAM role assumed using the [`AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity) AWS STS operation. When the resulting role session's temporary credentials are used to make a request, the request context identifies the IdP that authenticated the original federated identity. +Use this key to compare the principal's issuing identity provider (IdP) with the IdP that you specify in the policy. This means that an IAM role assumed using the [`AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com//STS/latest/APIReference/API_AssumeRoleWithWebIdentity) AWS STS operation. When the resulting role session's temporary credentials are used to make a request, the request context identifies the IdP that authenticated the original federated identity. @@ -530 +530 @@ Use this key to compare the principal's issuing identity provider (IdP) with the - * If you're using an IdP that is not built-in to AWS, like [GitHub](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) or [Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html), the key value will be **ARN**. The key value may look like: `arn:aws:iam::`111122223333`:oidc-provider/oidc.eks.`region`.amazonaws.com/id/`OIDC_Provider_ID``. + * If you're using an IdP that is not built-in to AWS, like [GitHub](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) or [Amazon EKS](https://docs.aws.amazon.com//eks/latest/userguide/associate-service-account-role.html), the key value will be **ARN**. The key value may look like: `arn:aws:iam::`111122223333`:oidc-provider/oidc.eks.`region`.amazonaws.com/id/`OIDC_Provider_ID``. @@ -1081 +1081 @@ Use this key to compare IAM Identity Center workforce identity in the signed req -You can find the UserId of a user in IAM Identity Center by making a request to the [GetUserId](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html) API using the AWS CLI, AWS API, or AWS SDK. +You can find the UserId of a user in IAM Identity Center by making a request to the [GetUserId](https://docs.aws.amazon.com//singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html) API using the AWS CLI, AWS API, or AWS SDK. @@ -1218 +1218,114 @@ JSON -For an example of how to apply this key in a resource-based policy, see [Restricting access to a specific VPC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc) in the _Amazon Simple Storage Service User Guide_. +###### Note + +AWS recommends to use `aws:SourceVpcArn` instead of `aws:SourceVpc` if `aws:SourceVpcArn` is supported by the service you are targeting. Please refer to aws:SourceVpcArn for the list of supported services. + +### aws:SourceVpcArn + +Use this key to verify the ARN of the VPC through which a request was made via a VPC endpoint. This key returns the ARN of the VPC to which the VPC endpoint is attached. + + * **Availability** – This key is included in the request context for supported services when a request is made through a VPC endpoint. The key is not included for requests made through public service endpoints. The following services support this key: + + * AWS App Runner (prefix: [`apprunner`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapprunner.html)) + + * AWS Application Discovery Service (prefix: [`discovery`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationdiscoveryservice.html)) + + * Amazon Athena (prefix: [`athena`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html)) + + * AWS Cloud Map (prefix: [`servicediscovery`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html)) + + * Amazon CloudWatch Application Insights (prefix: [`applicationinsights`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html)) + + * AWS CloudFormation (prefix: [`cloudformation`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html)) + + * Amazon Comprehend Medical (prefix: [`comprehendmedical`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html)) + + * AWS Compute Optimizer (prefix: [`compute-optimizer`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html)) + + * Amazon; Elastic Container Registry (prefix: [`ecr`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html)) + + * Amazon Elastic Container Service (prefix: [`ecs`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html)) + + * Amazon Kinesis Analytics (prefix: [`kinesisanalytics`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html)) + + * Amazon Route 53 (prefix: [`route53`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html)) + + * AWS DataSync (prefix: [`datasync`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatasync.html)) + + * Amazon Elastic Block Store (prefix: [`ebs`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html)) + + * Amazon EventBridge Scheduler (prefix: [`scheduler`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgescheduler.html)) + + * Amazon Data Firehose (prefix: [`firehose`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html)) + + * AWS HealthImaging (prefix: [`medical-imaging`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthimaging.html)) + + * AWS HealthLake (prefix: [`healthlake`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthlake.html)) + + * AWS HealthOmics (prefix: [`omics`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html)) + + * AWS Identity and Access Management (except for the `iam:PassRole` action) (prefix: [`iam`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html)) + + * AWS IoT FleetWise (prefix: [`iotfleetwise`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleetwise.html)) + + * AWS IoT Wireless (prefix: [`iotwireless`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html)) + + * AWS Key Management Service (prefix: [`kms`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html)) + + * AWS Lambda (prefix: [`lambda`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html)) + + * AWS Payment Cryptography (prefix: [`payment-cryptography`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspaymentcryptography.html)) + + * Amazon Polly (prefix: [`polly`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html)) + + * AWS Private Certificate Authority (prefix: [`acm-pca`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsprivatecertificateauthority.html)) + + * AWS Recycle Bin (prefix: [`rbin`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html)) + + * Amazon Rekognition (prefix: [`rekognition`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html)) + + * Service Quotas (prefix: [`servicequotas`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html)) + + * Amazon Simple Storage Service (prefix: [`s3`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html)) + + * AWS Storage Gateway (prefix: [`storagegateway`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstoragegateway.html)) + + * AWS Systems Manager Incident Manager Contacts (prefix: [`ssm-contacts`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanagercontacts.html)) + + * Amazon Textract (prefix: [`textract`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html)) + + * Amazon Transcribe (prefix: [`transcribe`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html)) + + * AWS Transfer Family (prefix: [`transfer`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html)) + + * **Data type** – ARN + +AWS recommends that you use [ARN operators](./reference_policies_elements_condition_operators.html#Conditions_ARN) instead of [string operators](./reference_policies_elements_condition_operators.html#Conditions_String) when comparing ARNs. + + * **Value type** – Single-valued + + * **Example value** – `arn:aws:ec2:us-east-1:123456789012:vpc/vpc-0e9801d129EXAMPLE` + + + + +The following is an example of a bucket policy that denies access to `amzn-s3-demo-bucket` and its objects from anywhere outside VPC `vpc-1a2b3c4d`. + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "Access-to-specific-VPC-only", + "Principal": "*", + "Action": "s3:*", + "Effect": "Deny", + "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket", + "arn:aws:s3:::amzn-s3-demo-bucket/*"], + "Condition": { + "ArnNotEquals": { + "aws:SourceVpcArn": "arn:aws:ec2:us-east-1:*:vpc/vpc-1a2b3c4d" + } + } + } + ] + } @@ -1258,0 +1372,8 @@ The following services support this key: + * Amazon; Elastic Container Registry (prefix: [`ecr`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html)) + + * Amazon Elastic Container Service (prefix: [`ecs`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html)) + + * Amazon Kinesis Analytics (prefix: [`kinesisanalytics`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html)) + + * Amazon Route 53 (prefix: [`route53`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html)) + @@ -1375,0 +1497,8 @@ The following services support this key: + * Amazon; Elastic Container Registry (prefix: [`ecr`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html)) + + * Amazon Elastic Container Service (prefix: [`ecs`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html)) + + * Amazon Kinesis Analytics (prefix: [`kinesisanalytics`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html)) + + * Amazon Route 53 (prefix: [`route53`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html)) + @@ -1496,0 +1626,8 @@ The following services support this key: + * Amazon; Elastic Container Registry (prefix: [`ecr`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html)) + + * Amazon Elastic Container Service (prefix: [`ecs`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html)) + + * Amazon Kinesis Analytics (prefix: [`kinesisanalytics`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalytics.html)) + + * Amazon Route 53 (prefix: [`route53`](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html)) + @@ -2553,0 +2691,13 @@ This key should be used carefully. Since the `aws:UserAgent` value is provided b +### aws:IsMcpServiceAction + +Use this key to verify that the action being authorized is an MCP Service action. This key does not refer to actions taken by the MCP service to other AWS services. + + * **Availability** – This key is included in the request context and set to True only when the MCP service is authorizing an MCP service action. + + * **Data type** – [Boolean](./reference_policies_elements_condition_operators.html#Conditions_Boolean) + + * **Value type** – Single-valued + + + +