AWS prescriptive-guidance high security documentation change
Summary
Formatting updates: changed section header style, consolidated note about IAM role creation risks, simplified JSON array syntax in condition examples, updated trust policy syntax, and corrected documentation link.
Security assessment
The change explicitly warns about IAM permission escalation risks when creating service roles ('An IAM principal... can escalate their own permissions') and reinforces least-privilege practices through condition key examples. This directly addresses security vulnerabilities in role management.
Diff
diff --git a/prescriptive-guidance/latest/least-privilege-cloudformation/service-roles-for-cloudformation.md b/prescriptive-guidance/latest/least-privilege-cloudformation/service-roles-for-cloudformation.md index d6343ed27..37e0970d3 100644 --- a//prescriptive-guidance/latest/least-privilege-cloudformation/service-roles-for-cloudformation.md +++ b//prescriptive-guidance/latest/least-privilege-cloudformation/service-roles-for-cloudformation.md @@ -26 +26 @@ To use a service role to create CloudFormation stacks, IAM principals must have -###### This section contains the following topics: +**This section contains the following topics:** @@ -49,3 +49,2 @@ Properly scoping the identity-based policy of an IAM principal to pass only spec -###### Note - -Service roles are configured in IAM. To create a service role, you must have permissions to do so. An IAM principal with permissions to create a role and attach any policy can escalate their own permissions. AWS recommends creating one service role for each AWS service for each use case. After you create CloudFormation service roles for your use cases, you can allow users to pass only the approved service role to CloudFormation. For sample identity-based policies that allow users to create service roles, see [Service role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#id_roles_create_service-permissions) in the IAM documentation. +Note: Service roles are configured in IAM. To create a service role, you must have permissions to do so. An IAM principal with permissions to create a role and attach any policy can escalate their own permissions. AWS recommends creating one service role for each AWS service for each use case. After you create CloudFormation service roles for your use cases, you can allow users to pass only the approved service role to CloudFormation. For sample identity-based policies that allow users to create service roles, see [Service role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#id_roles_create_service-permissions) in the IAM documentation. +--- @@ -95,3 +94 @@ In addition to the previous policy statements, you can use the `cloudformation:R - "cloudformation:RoleArn": [ - "<ARN of the specific CloudFormation service role>" - ] + "cloudformation:RoleArn" : [<ARN of the specific CloudFormation service role>] @@ -116,3 +114 @@ Additionally you can also use the `cloudformation:RoleARN` condition key to rest - "cloudformation:RoleArn": [ - "<ARN of a privilege CloudFormation service role>" - ] + "cloudformation:RoleArn" : [<ARN of a privilege CloudFormation service role>] @@ -134,3 +131 @@ The following trust policy allows only the CloudFormation service to assume the - "Principal": { - "Service": "cloudformation.amazonaws.com" - }, + "Principal": {"Service": "cloudformation.amazonaws.com"}, @@ -143 +138 @@ The following trust policy allows only the CloudFormation service to assume the -After a service role is created, you can associate it with a stack when you create the stack. For more information, see [Configure stack options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html#configure-stack-options). Before you specify a service role, make sure that IAM principals have permissions to pass it. For more information, see Granting an IAM principal permissions to use a CloudFormation service role. +After a service role is created, you can associate it with a stack when you create the stack. For more information, see _Permissions_ in [Setting AWS CloudFormation stack options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html). Before you specify a service role, make sure that IAM principals have permissions to pass it. For more information, see Granting an IAM principal permissions to use a CloudFormation service role.