AWS step-functions documentation change
Summary
Added clarification that IAM policies for states:InvokeHTTPEndpoint cannot use aws:ResourceTag condition keys
Security assessment
The change documents a security limitation in IAM policy granularity for HTTP endpoint permissions. While it enhances security awareness by clarifying policy scope restrictions, there's no evidence of a specific vulnerability being addressed.
Diff
diff --git a/step-functions/latest/dg/call-https-apis.md b/step-functions/latest/dg/call-https-apis.md index 7e445133b..a94505384 100644 --- a//step-functions/latest/dg/call-https-apis.md +++ b//step-functions/latest/dg/call-https-apis.md @@ -579,0 +580,4 @@ The following IAM policy example grants the least privileges required to your st +###### Important + +You can scope `states:InvokeHTTPEndpoint` permissions to a specific state machine by specifying a state machine ARN in the policy statement's `Resource` field, but further scoping the permissions using an [`aws:ResourceTag/${TagKey}`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) condition key is not supported at this time. +