AWS scheduler high security documentation change
Summary
Added guidance on using ArnLike with wildcards in trust policies for schedule groups
Security assessment
Addresses potential confused deputy vulnerabilities by providing correct wildcard policy configuration. Explicitly prevents privilege escalation through ARN pattern matching, which is a security-critical configuration.
Diff
diff --git a/scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md b/scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md index 2474a46d0..289aa69bb 100644 --- a//scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md +++ b//scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.md @@ -49,0 +50,24 @@ JSON +If you use wildcard characters in the value of `aws:SourceArn`, you must use `ArnLike` instead of `StringEquals` as the condition operator. For example, the following trust policy uses `ArnLike` to match any schedule group in the account: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "scheduler.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:scheduler:*:123456789012:schedule-group/*" + }, + "StringEquals": { + "aws:SourceAccount": "123456789012" + } + } + } + ] + } +