AWS transcribe documentation change
Summary
Added multiple JSON policy examples including trust policies for transcribe and transcribe.streaming services with source account/ARN conditions, KMS key policy with encryption context condition, and IAM policy for transcription jobs with tag-based condition
Security assessment
This change adds detailed IAM policy examples which are security documentation for implementing least-privilege access and resource-based policies. The examples include security best practices like source account/ARN validation and encryption context conditions, but there's no evidence these address a specific security vulnerability.
Diff
diff --git a/transcribe/latest/dg/security_iam_id-based-policy-examples.md b/transcribe/latest/dg/security_iam_id-based-policy-examples.md index fe5ff0ca5..6305bff76 100644 --- a//transcribe/latest/dg/security_iam_id-based-policy-examples.md +++ b//transcribe/latest/dg/security_iam_id-based-policy-examples.md @@ -85,0 +86,33 @@ The IAM entity you use to make your transcription request must have a trust poli +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "transcribe.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*" + } + } + } + ] + } + + @@ -87,0 +121,33 @@ The IAM entity you use to make your transcription request must have a trust poli +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "transcribe.streaming.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*" + } + } + } + ] + } + + @@ -209,0 +276,40 @@ The following policy grants the IAM role “`ExampleRole`” permission to use t +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:EncryptionContext:color": "indigoBlue" + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": "kms:DescribeKey", + "Resource": "*" + } + ] + } + + @@ -213,0 +320,31 @@ Here's an example of an assume role policy that shows how you can use `aws:Sourc +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "transcribe.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole" + ], + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*" + } + } + } + ] + } + + @@ -221,0 +359,29 @@ For more information on tagging in Amazon Transcribe, see [Tagging resources](./ +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Sid": "ListTranscriptionJobsInConsole", + "Effect": "Allow", + "Action": "transcribe:ListTranscriptionJobs", + "Resource": "*" + }, + { + "Sid": "ViewTranscriptionJobsIfOwner", + "Effect": "Allow", + "Action": "transcribe:GetTranscriptionJob", + "Resource": "arn:aws:transcribe:us-west-2:111122223333:transcription-job/*", + "Condition": { + "StringEquals": {"aws:ResourceTag/Owner": "${aws:username}"} + } + } + ] + } + +