AWS quicksuite high security documentation change
Summary
Added security guidance about IAM condition operator vulnerabilities
Security assessment
Documents specific security vulnerability where URL variations can bypass IAM restrictions, providing concrete examples of bypass techniques and mitigation guidance
Diff
diff --git a/quicksuite/latest/userguide/embedded-analytics-dashboards-for-authenticated-users.md b/quicksuite/latest/userguide/embedded-analytics-dashboards-for-authenticated-users.md index 43f78e162..7ff23aa07 100644 --- a//quicksuite/latest/userguide/embedded-analytics-dashboards-for-authenticated-users.md +++ b//quicksuite/latest/userguide/embedded-analytics-dashboards-for-authenticated-users.md @@ -43,0 +44,19 @@ To limit the domains that developers can use with this parameter, add an `Allowe +###### Security best practice for IAM condition operators + +Improperly configured IAM condition operators can allow unauthorized access to your embedded Quick Suite resources through URL variations. When using the `quicksight:AllowedEmbeddingDomains` condition key in your IAM policies, use condition operators that either allow specific domains or deny all domains that are not specifically allowed. For more information about IAM condition operators, see [IAM JSON policy elements: Condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) in the IAM User Guide. + +Many different URL variations can point to the same resource. For example, the following URLs all resolve to the same content: + + * `https://example.com` + + * `https://example.com/` + + * `https://Example.com` + + + + +If your policy uses operators that do not account for these URL variations, an attacker can bypass your restrictions by providing equivalent URL variations. + +You must validate that your IAM policy uses appropriate condition operators to prevent bypass vulnerabilities and ensure that only your intended domains can access your embedded resources. +