AWS neptune-analytics high security documentation change
Summary
Added example IAM policy with source ARN/account conditions to prevent confused deputy attacks
Security assessment
The change directly addresses security by demonstrating how to prevent confused deputy attacks through IAM conditions, which is a known AWS cross-service security risk.
Diff
diff --git a/neptune-analytics/latest/userguide/cross-service-confused-deputy-prevention.md b/neptune-analytics/latest/userguide/cross-service-confused-deputy-prevention.md index d2c854142..f8d2b321f 100644 --- a//neptune-analytics/latest/userguide/cross-service-confused-deputy-prevention.md +++ b//neptune-analytics/latest/userguide/cross-service-confused-deputy-prevention.md @@ -18,0 +19,32 @@ The following example shows how you can use the `aws:SourceArn` and `aws:SourceA +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": { + "Sid": "ConfusedDeputyPreventionExamplePolicy", + "Effect": "Allow", + "Principal": { + "Service": "neptune-graph.amazonaws.com" + }, + "Action": "neptune-graph:CreateGraph", + "Resource": [ + "arn:aws:neptune-graph:us-east-1:123456789012:graph/*" + ], + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:neptune-graph:*:123456789012:*" + }, + "StringEquals": { + "aws:SourceAccount": "123456789012" + } + } + } + } + + +