AWS redshift documentation change
Summary
Clarified SAML SSO policy condition syntax and capitalization of 'AWS userid'
Security assessment
Emphasizes correct policy conditions to prevent credential misuse (e.g., ensuring DbUser matches AWS user ID), which is a security best practice but does not fix a specific vulnerability.
Diff
diff --git a/redshift/latest/mgmt/redshift-iam-access-control-identity-based.md b/redshift/latest/mgmt/redshift-iam-access-control-identity-based.md index ef857ea36..0842cd304 100644 --- a//redshift/latest/mgmt/redshift-iam-access-control-identity-based.md +++ b//redshift/latest/mgmt/redshift-iam-access-control-identity-based.md @@ -1176 +1176 @@ You can also include the following conditions in your policy: -For SAML SSO integrations, you may be required to specify an IAM Policy using the `${redshift:DbUser}` variable. In those cases, we strongly recommend the use of a condition statement that ensures a caller cannot obtain credentials for a user which does not match their aws userid. E.g. `"StringEquals": {"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}"}"`. See Example 8: IAM policy for using GetClusterCredentials. For more information about conditions, see [Specifying conditions in a policy](./redshift-iam-access-control-overview.html#redshift-policy-resources.specifying-conditions) +For SAML SSO integrations, you may be required to specify an IAM Policy using the `${redshift:DbUser}` variable. In those cases, we strongly recommend the use of a condition statement that ensures a caller cannot obtain credentials for a user which does not match their AWS userid. E.g. `"StringEquals": {"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}"}"`. See Example 8: IAM policy for using GetClusterCredentials. For more information about conditions, see [Specifying conditions in a policy](./redshift-iam-access-control-overview.html#redshift-policy-resources.specifying-conditions)