AWS amazondynamodb high security documentation change
Summary
Updated principal ARN in example policy and added critical warning/examples about avoiding policy lockout when using Deny statements. Added ArnNotEquals condition to exempt admin roles.
Security assessment
Addresses security risk of accidental self-lockout when configuring resource policies. Explicitly warns about dangerous Deny configurations and provides mitigation (using ArnNotEquals). Evidence: Error message and example show concrete prevention of admin lockout scenarios.
Diff
diff --git a/amazondynamodb/latest/developerguide/rbac-examples.md b/amazondynamodb/latest/developerguide/rbac-examples.md index e9197a585..37333aa70 100644 --- a//amazondynamodb/latest/developerguide/rbac-examples.md +++ b//amazondynamodb/latest/developerguide/rbac-examples.md @@ -108 +108 @@ JSON - "AWS": "arn:aws:iam::111122223333:user/role-name" + "AWS": "arn:aws:iam::111122223333:user/username" @@ -254,0 +255,4 @@ You can also deny all access to DynamoDB resources except when the source is a s +A resource-based policy that contains only a `Deny` statement with `"Principal": "*"` denies access to every principal, including your own ability to update or delete the policy later. If you attach a policy that would lock you out in this way, DynamoDB rejects it with the following error: _The new resource policy will not allow you to update the resource policy in the future._ Adding a separate `Allow` statement does not resolve this, because an explicit `Deny` always overrides an `Allow`. To deny access to everyone except a specific VPC endpoint while retaining the ability to manage the policy, exempt the administering principal from the `Deny` statement by adding an `ArnNotEquals` condition on `aws:PrincipalArn`, as shown in the following example. + +###### Important + @@ -276,0 +281,3 @@ JSON + }, + "ArnNotEquals":{ + "aws:PrincipalArn":"arn:aws:iam::123456789012:role/AdminRole"