AWS amazondynamodb medium security documentation change
Summary
Added cross-account export requirements and IAM role guidance
Security assessment
The change addresses potential authorization vulnerabilities by clarifying that exports must originate from the table's account, preventing cross-account privilege escalation. It explicitly documents security controls for cross-account data access.
Diff
diff --git a/amazondynamodb/latest/developerguide/S3DataExport_Requesting.md b/amazondynamodb/latest/developerguide/S3DataExport_Requesting.md index 02e688c26..9d916a2a8 100644 --- a//amazondynamodb/latest/developerguide/S3DataExport_Requesting.md +++ b//amazondynamodb/latest/developerguide/S3DataExport_Requesting.md @@ -113,0 +114,4 @@ Revoking these permissions while an export is in progress will result in partial +You must call `ExportTableToPointInTime` as a principal in the same AWS account as the source table. Although the destination bucket can belong to a different account (as described earlier), the export request itself must originate from the table's account. A request made from a different account fails with a `ValidationException`: "This action is only supported by accounts that match the resource owner's account." To export a table that is owned by another account, assume an IAM role in the table's account and make the export request with that role's credentials. When that role writes to a bucket in a different account, include the bucket owner and grant the role write access in the bucket policy as described above. + +###### Note +