AWS AmazonECS documentation change
Summary
Changed 'it is recommended' to 'we recommend' in confused deputy prevention guidance
Security assessment
Phrasing update without substantive security impact. The underlying security recommendation about using aws:SourceAccount/aws:SourceArn remains unchanged.
Diff
diff --git a/AmazonECS/latest/developerguide/task-iam-roles.md b/AmazonECS/latest/developerguide/task-iam-roles.md index c8e26994d..eefe8ee27 100644 --- a//AmazonECS/latest/developerguide/task-iam-roles.md +++ b//AmazonECS/latest/developerguide/task-iam-roles.md @@ -52 +52 @@ The IAM task role must have a trust policy that specifies the `ecs-tasks.amazona -When creating your task IAM role, it is recommended that you use the `aws:SourceAccount` or `aws:SourceArn` condition keys in the trust relationship policy associated with the role to scope the permissions further to prevent the confused deputy security issue. Using the `aws:SourceArn` condition key to specify a specific cluster is not currently supported, you should use the wildcard to specify all clusters. To learn more about the confused deputy problem and how to protect your AWS account, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the _IAM User Guide_. +When creating your task IAM role, we recommend that you use the `aws:SourceAccount` or `aws:SourceArn` condition keys in the trust relationship policy associated with the role to scope the permissions further to prevent the confused deputy security issue. Using the `aws:SourceArn` condition key to specify a specific cluster is not currently supported, you should use the wildcard to specify all clusters. To learn more about the confused deputy problem and how to protect your AWS account, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the _IAM User Guide_.