AWS Security ChangesHomeSearch

AWS quicksuite high security documentation change

Service: quicksuite · 2026-01-31 · Security-related high

File: quicksuite/latest/userguide/embedding-gen-bi.md

Summary

Added security best practices section warning about URL variation vulnerabilities in IAM condition operators for domain embedding restrictions.

Security assessment

Explicitly describes how attackers can bypass domain restrictions through URL variations (e.g., case sensitivity, trailing slashes) leading to unauthorized access. Provides concrete mitigation guidance for IAM policies.

Diff

diff --git a/quicksuite/latest/userguide/embedding-gen-bi.md b/quicksuite/latest/userguide/embedding-gen-bi.md
index 337ff1999..ed41b9dd6 100644
--- a//quicksuite/latest/userguide/embedding-gen-bi.md
+++ b//quicksuite/latest/userguide/embedding-gen-bi.md
@@ -51,0 +52,19 @@ To limit the domains that developers can use with this parameter, add an `Allowe
+###### Security best practice for IAM condition operators
+
+Improperly configured IAM condition operators can allow unauthorized access to your embedded Quick Suite resources through URL variations. When using the `quicksight:AllowedEmbeddingDomains` condition key in your IAM policies, use condition operators that either allow specific domains or deny all domains that are not specifically allowed. For more information about IAM condition operators, see [IAM JSON policy elements: Condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) in the IAM User Guide.
+
+Many different URL variations can point to the same resource. For example, the following URLs all resolve to the same content:
+
+  * `https://example.com`
+
+  * `https://example.com/`
+
+  * `https://Example.com`
+
+
+
+
+If your policy uses operators that do not account for these URL variations, an attacker can bypass your restrictions by providing equivalent URL variations.
+
+You must validate that your IAM policy uses appropriate condition operators to prevent bypass vulnerabilities and ensure that only your intended domains can access your embedded resources.
+
@@ -616,0 +636,19 @@ To limit the domains that developers can use with this parameter, add an `Allowe
+###### Security best practice for IAM condition operators
+
+Improperly configured IAM condition operators can allow unauthorized access to your embedded Quick Suite resources through URL variations. When using the `quicksight:AllowedEmbeddingDomains` condition key in your IAM policies, use condition operators that either allow specific domains or deny all domains that are not specifically allowed. For more information about IAM condition operators, see [IAM JSON policy elements: Condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) in the IAM User Guide.
+
+Many different URL variations can point to the same resource. For example, the following URLs all resolve to the same content:
+
+  * `https://example.com`
+
+  * `https://example.com/`
+
+  * `https://Example.com`
+
+
+
+
+If your policy uses operators that do not account for these URL variations, an attacker can bypass your restrictions by providing equivalent URL variations.
+
+You must validate that your IAM policy uses appropriate condition operators to prevent bypass vulnerabilities and ensure that only your intended domains can access your embedded resources.
+