AWS IAM documentation change
Summary
Added clarification that session policies in AWS STS do not support incomplete ARNs, causing an error, and fixed a typo in 'Amazon SQS'.
Security assessment
The change informs users about a policy grammar limitation that can prevent misconfigurations, but it does not directly address a known security vulnerability or add security features. No concrete evidence of a security issue in the diff.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_grammar.md b/IAM/latest/UserGuide/reference_policies_grammar.md index f0a042460..70d9d1443 100644 --- a//IAM/latest/UserGuide/reference_policies_grammar.md +++ b//IAM/latest/UserGuide/reference_policies_grammar.md @@ -246 +246 @@ In most cases, consists of an [Amazon Resource Name](./reference_identifiers.htm -When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon SQS resources across all regions and accounts. +When you specify an incomplete ARN (one with fewer than the standard six fields) in an identity-based policy, AWS automatically completes the ARN by adding wildcard characters (*) to all missing fields. For example, specifying `arn:aws:sqs` is equivalent to `arn:aws:sqs:*:*:*`, which grants access to all Amazon Amazon SQS resources across all regions and accounts. However, session policies passed to AWS STS AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML requests, do not support incomplete ARNs. Using an incomplete ARN in a session policy will result in a `MalformedPolicyDocumentException` error.