AWS Security ChangesHomeSearch

AWS scheduler high security documentation change

Service: scheduler · 2026-03-04 · Security-related high

File: scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md

Summary

Added guidance on using ArnLike with wildcards in trust policies for schedule groups

Security assessment

Addresses potential confused deputy vulnerabilities by providing correct wildcard policy configuration. Explicitly prevents privilege escalation through ARN pattern matching, which is a security-critical configuration.

Diff

diff --git a/scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md b/scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md
index 2474a46d0..289aa69bb 100644
--- a//scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md
+++ b//scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md
@@ -49,0 +50,24 @@ JSON
+If you use wildcard characters in the value of `aws:SourceArn`, you must use `ArnLike` instead of `StringEquals` as the condition operator. For example, the following trust policy uses `ArnLike` to match any schedule group in the account:
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "scheduler.amazonaws.com"
+                },
+                "Action": "sts:AssumeRole",
+                "Condition": {
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:scheduler:*:123456789012:schedule-group/*"
+                    },
+                    "StringEquals": {
+                        "aws:SourceAccount": "123456789012"
+                    }
+                }
+            }
+        ]
+    }
+