Amazon AppStream 2.0 Cross-Service Confused Deputy Prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action coerces a more-privileged entity to perform the action. In AWS, cross-service impersonation can leave account resources vulnerable to the confused deputy problem. Cross-service impersonation occurs when one service (the calling service) calls another service (the called service). The calling service can manipulate the called service to use its permissions to act on a customer's resources in ways that the calling service doesn't have permission to perform for itself. To prevent this, AWS provides tools that helps you protect your data for all services with service principals that have access to resources in your account.
We recommend using the aws:SourceArn
and aws:SourceAccount
global condition context keys in resource policies to limit permissions when accessing these
resources. The following guidelines detail recommendations and requirements when you use
these keys to protect your resources:
-
Use
aws:SourceArn
if you want only one resource associated with cross-service access. -
Use
aws:SourceAccount
if you want to allow any resource in the specified account associated with cross-service use. -
If the
aws:SourceArn
key doesn't contain an account ID, you must use both global condition context keys (aws:SourceArn
andaws:SourceAccount
) to limit permissions. -
If you use both global condition context keys and the
aws:SourceArn
value contains an account ID, theaws:SourceAccount
key must use the same account ID when used in the same policy statement.
The most effective way to protect against the confused deputy problem is to use the exact
Amazon Resource Name (ARN) of the resource you want to allow. If you don't know the full ARN
of the resource, use the aws:SourceArn
global context condition key with
wildcards (such as *) for the unknown portions of the ARN. You can also use
a wildcard in the ARN if you want to specify multiple resources. For example, you can format
the ARN as
arn:aws:
.servicename
::region-name
::your
AWS account ID
:*
Example: AppStream 2.0 service role cross-service confused deputy prevention
AppStream 2.0 assumes a service role using a variety of resource ARNs, which leads to a complicated conditional statement. We recommend using a wildcard resource type to prevent any unexpected AppStream 2.0 resources failures.
Example aws:SourceAccount
Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
your AWS account ID
" } } } ] }
Example aws:SourceArn
Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{
your region name
}:{your AWS account ID
}:*" } } } ] }
Example: AppStream 2.0 fleet machine role cross-service confused deputy prevention
Example aws:SourceAccount
Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
your AWS account ID
" } } } ] }
Example aws:SourceArn
Conditional:
Note
If you want to use one IAM role for multiple fleets, we recommend using the
aws:SourceArn
global context condition key with wildcards
(*) to match multiple AppStream 2.0 fleet resources.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{
your region name
}:{your AWS account ID
}:fleet/{your fleet name
}" } } } ] }
Example: AppStream 2.0 Elastic fleets session script Amazon S3 bucket policy cross-service confused deputy prevention
Example aws:SourceAccount
Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "s3:GetObject", "Resource": "
your session script S3 path
", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID
" } } } ] }
Example aws:SourceArn
Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "s3:GetObject", "Resource": "
your session script S3 path
", "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name
}:{your AWS account ID
}:fleet/{your fleet name
}" } } } ] }
Example: AppStream 2.0 Application Amazon S3 bucket policy cross-service confused deputy prevention
When you store data in an Amazon S3 bucket, the bucket might be exposed to confused deputy issues. This can leave data such as Elastic fleets, app blocks, setup scripts, application icons, and session scripts vulnerable to malicious actors.
To prevent confused deputy issues, you can specify the aws:SourceAccount
condition or the aws:SourceArn
condition in the Amazon S3 bucket policy for
ELASTIC-FLEET-EXAMPLE-BUCKET
.
The resource policies below show how to prevent the confused deputy problem with either of the following:
-
The
aws:SourceAccount
with your AWS account ID -
The global condition context key
aws:SourceArn
AppStream 2.0 currently doesn't support confused deputy prevention for application icons. The service only supports VHD files and setup scripts. If you try to add additional conditions for application icons, the icons won't be displayed to end users.
In the following example, the bucket policy only allows AppStream 2.0 Elastic fleet resources
in the owner's account to access ELASTIC_FLEET_EXAMPLE_BUCKET
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::
ELASTIC-FLEET-EXAMPLE-BUCKET
/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET
/scripts/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID
" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET
/app-icons/*" } ] }
You can also use the aws:SourceArn
condition to limit resource access for
specific resources.
Note
If you don’t know the full ARN of a resource, or you want to specify multiple
resources, use the aws:SourceArn
global context condition key with
wildcards (*) for the unknown portions of the ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::
ELASTIC-FLEET-EXAMPLE-BUCKET
/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET
/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws-partition}:appstream:{your region name
}:{your AWS account ID
}:app-block/*" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET
/app-icons/*" } ] }
You can use the aws:SourceArn
and aws:SourceAccount
conditions to limit the resource access for specific resources and accounts.
Note
If you don’t know the full ARN of a resources, or if you want to specify multiple
resources, use the aws:SourceArn
global context condition key with
wildcards (*) for the unknown portions of the ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::
ELASTIC-FLEET-EXAMPLE-BUCKET
/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET
/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name
}:{your AWS account ID
}:app-block/*" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID
" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET
/app-icons/*" } ] }