AWS Security ChangesHomeSearch

AWS quicksuite high security documentation change

Service: quicksuite · 2026-01-31 · Security-related high

File: quicksuite/latest/userguide/manage-domains.md

Summary

Added identical security best practices section about URL variation vulnerabilities in IAM condition operators for domain allow lists.

Security assessment

Repeats warning about attackers bypassing domain restrictions via URL variations, explicitly stating this could lead to unauthorized access. Provides identical security mitigation guidance.

Diff

diff --git a/quicksuite/latest/userguide/manage-domains.md b/quicksuite/latest/userguide/manage-domains.md
index 5f3ec8448..d27beed09 100644
--- a//quicksuite/latest/userguide/manage-domains.md
+++ b//quicksuite/latest/userguide/manage-domains.md
@@ -97,0 +98,19 @@ You can list up to three domains or subdomains. Adding domains to the allow list
+###### Security best practice for IAM condition operators
+
+Improperly configured IAM condition operators can allow unauthorized access to your embedded Quick Suite resources through URL variations. When using the `quicksight:AllowedEmbeddingDomains` condition key in your IAM policies, use condition operators that either allow specific domains or deny all domains that are not specifically allowed. For more information about IAM condition operators, see [IAM JSON policy elements: Condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) in the IAM User Guide.
+
+Many different URL variations can point to the same resource. For example, the following URLs all resolve to the same content:
+
+  * `https://example.com`
+
+  * `https://example.com/`
+
+  * `https://Example.com`
+
+
+
+
+If your policy uses operators that do not account for these URL variations, an attacker can bypass your restrictions by providing equivalent URL variations.
+
+You must validate that your IAM policy uses appropriate condition operators to prevent bypass vulnerabilities and ensure that only your intended domains can access your embedded resources.
+