AWS Security ChangesHomeSearch

AWS transcribe documentation change

Service: transcribe · 2026-03-19 · Documentation low

File: transcribe/latest/dg/security_iam_id-based-policy-examples.md

Summary

Added multiple JSON policy examples including trust policies for transcribe and transcribe.streaming services with source account/ARN conditions, KMS key policy with encryption context condition, and IAM policy for transcription jobs with tag-based condition

Security assessment

This change adds detailed IAM policy examples which are security documentation for implementing least-privilege access and resource-based policies. The examples include security best practices like source account/ARN validation and encryption context conditions, but there's no evidence these address a specific security vulnerability.

Diff

diff --git a/transcribe/latest/dg/security_iam_id-based-policy-examples.md b/transcribe/latest/dg/security_iam_id-based-policy-examples.md
index fe5ff0ca5..6305bff76 100644
--- a//transcribe/latest/dg/security_iam_id-based-policy-examples.md
+++ b//transcribe/latest/dg/security_iam_id-based-policy-examples.md
@@ -85,0 +86,33 @@ The IAM entity you use to make your transcription request must have a trust poli
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": [
+              "transcribe.amazonaws.com"
+            ]
+          },
+          "Action": [
+            "sts:AssumeRole"
+          ],      
+          "Condition": {
+            "StringEquals": {
+              "aws:SourceAccount": "111122223333"
+            },
+            "ArnLike": {
+              "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*"
+            }
+          }
+        }
+      ]
+    }
+    
+
@@ -87,0 +121,33 @@ The IAM entity you use to make your transcription request must have a trust poli
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": [
+              "transcribe.streaming.amazonaws.com"
+            ]
+          },
+          "Action": [
+            "sts:AssumeRole"
+          ],      
+          "Condition": {
+            "StringEquals": {
+              "aws:SourceAccount": "111122223333"
+            },
+            "ArnLike": {
+              "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*"
+            }
+          }
+        }
+      ]
+    }
+    
+
@@ -209,0 +276,40 @@ The following policy grants the IAM role “`ExampleRole`” permission to use t
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Statement": [
+          {
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
+              },
+              "Action": [
+                  "kms:Decrypt",
+                  "kms:Encrypt",
+                  "kms:GenerateDataKey*",
+                  "kms:ReEncrypt*"
+              ],
+              "Resource": "*",
+              "Condition": {
+                  "StringEquals": {
+                      "kms:EncryptionContext:color": "indigoBlue"
+                  }
+               }
+          },
+          {
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
+              },
+              "Action": "kms:DescribeKey",
+              "Resource": "*"
+          }
+       ]
+    }
+    
+
@@ -213,0 +320,31 @@ Here's an example of an assume role policy that shows how you can use `aws:Sourc
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "transcribe.amazonaws.com"
+                },
+                "Action": [
+                    "sts:AssumeRole"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:SourceAccount": "111122223333"
+                    },
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*"
+                    }
+                }
+            }
+        ]
+    }
+    
+
@@ -221,0 +359,29 @@ For more information on tagging in Amazon Transcribe, see [Tagging resources](./
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "ListTranscriptionJobsInConsole",
+                "Effect": "Allow",
+                "Action": "transcribe:ListTranscriptionJobs",
+                "Resource": "*"
+            },
+            {
+                "Sid": "ViewTranscriptionJobsIfOwner",
+                "Effect": "Allow",
+                "Action": "transcribe:GetTranscriptionJob",
+                "Resource": "arn:aws:transcribe:us-west-2:111122223333:transcription-job/*",
+                "Condition": {
+                    "StringEquals": {"aws:ResourceTag/Owner": "${aws:username}"}
+                }
+            }
+        ]
+    }
+    
+