AWS Security ChangesHomeSearch

AWS directoryservice documentation change

Service: directoryservice · 2025-11-22 · Documentation low

File: directoryservice/latest/admin-guide/cross-service-confused-deputy-prevention.md

Summary

Updated service name references from 'AWS Directory Service for Microsoft Active Directory' to 'Directory Service for Microsoft Active Directory' and adjusted link text for resource types documentation

Security assessment

The changes are editorial updates to branding/naming conventions and documentation links. No modifications were made to security recommendations, policy examples, or mitigation strategies for confused deputy prevention. The security-related guidance about using aws:SourceArn and aws:SourceAccount remains unchanged.

Diff

diff --git a/directoryservice/latest/admin-guide/cross-service-confused-deputy-prevention.md b/directoryservice/latest/admin-guide/cross-service-confused-deputy-prevention.md
index 6b1ba5537..d1c39c9a3 100644
--- a//directoryservice/latest/admin-guide/cross-service-confused-deputy-prevention.md
+++ b//directoryservice/latest/admin-guide/cross-service-confused-deputy-prevention.md
@@ -9 +9 @@ The confused deputy problem is a security issue where an entity that doesn't hav
-We recommend using the [`aws:SourceArn`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [`aws:SourceAccount`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that AWS Directory Service for Microsoft Active Directory gives another service to the resource. If the `aws:SourceArn` value does not contain the account ID, such as an Amazon S3 bucket ARN, you must use both global condition context keys to limit permissions. If you use both global condition context keys and the `aws:SourceArn` value contains the account ID, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement. Use `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use.
+We recommend using the [`aws:SourceArn`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [`aws:SourceAccount`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource policies to limit the permissions that Directory Service for Microsoft Active Directory gives another service to the resource. If the `aws:SourceArn` value does not contain the account ID, such as an Amazon S3 bucket ARN, you must use both global condition context keys to limit permissions. If you use both global condition context keys and the `aws:SourceArn` value contains the account ID, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement. Use `aws:SourceArn` if you want only one resource to be associated with the cross-service access. Use `aws:SourceAccount` if you want to allow any resource in that account to be associated with the cross-service use.
@@ -95 +95 @@ JSON
-The following example shows an IAM trust policy for a role that has been delegated console access. The value of `aws:SourceArn` must be a directory resource in your account. For more information, see [Resource types defined by AWS Directory Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html#awsdirectoryservice-resources-for-iam-policies). For example, you can use `arn:aws:ds:us-east-1:123456789012:directory/d-1234567890` where `123456789012` is your customer ID and `d-1234567890` is your directory ID.
+The following example shows an IAM trust policy for a role that has been delegated console access. The value of `aws:SourceArn` must be a directory resource in your account. For more information, see [Resource types defined by Directory Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectoryservice.html#awsdirectoryservice-resources-for-iam-policies). For example, you can use `arn:aws:ds:us-east-1:123456789012:directory/d-1234567890` where `123456789012` is your customer ID and `d-1234567890` is your directory ID.