AWS Security ChangesHomeSearch

AWS step-functions documentation change

Service: step-functions · 2026-06-07 · Documentation low

File: step-functions/latest/dg/call-https-apis.md

Summary

Added clarification that IAM policies for states:InvokeHTTPEndpoint cannot use aws:ResourceTag condition keys

Security assessment

The change documents a security limitation in IAM policy granularity for HTTP endpoint permissions. While it enhances security awareness by clarifying policy scope restrictions, there's no evidence of a specific vulnerability being addressed.

Diff

diff --git a/step-functions/latest/dg/call-https-apis.md b/step-functions/latest/dg/call-https-apis.md
index 7e445133b..a94505384 100644
--- a//step-functions/latest/dg/call-https-apis.md
+++ b//step-functions/latest/dg/call-https-apis.md
@@ -579,0 +580,4 @@ The following IAM policy example grants the least privileges required to your st
+###### Important
+
+You can scope `states:InvokeHTTPEndpoint` permissions to a specific state machine by specifying a state machine ARN in the policy statement's `Resource` field, but further scoping the permissions using an [`aws:ResourceTag/${TagKey}`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) condition key is not supported at this time.
+