Amazon AppStream 2.0 Cross-Service Confused Deputy Prevention - Amazon AppStream 2.0

Amazon AppStream 2.0 Cross-Service Confused Deputy Prevention

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action coerces a more-privileged entity to perform the action. In AWS, cross-service impersonation can leave account resources vulnerable to the confused deputy problem. Cross-service impersonation occurs when one service (the calling service) calls another service (the called service). The calling service can manipulate the called service to use its permissions to act on a customer's resources in ways that the calling service doesn't have permission to perform for itself. To prevent this, AWS provides tools that helps you protect your data for all services with service principals that have access to resources in your account.

We recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in resource policies to limit permissions when accessing these resources. The following guidelines detail recommendations and requirements when you use these keys to protect your resources:

  • Use aws:SourceArn if you want only one resource associated with cross-service access.

  • Use aws:SourceAccount if you want to allow any resource in the specified account associated with cross-service use.

  • If the aws:SourceArn key doesn't contain an account ID, you must use both global condition context keys (aws:SourceArn and aws:SourceAccount) to limit permissions.

  • If you use both global condition context keys and the aws:SourceArn value contains an account ID, the aws:SourceAccount key must use the same account ID when used in the same policy statement.

The most effective way to protect against the confused deputy problem is to use the exact Amazon Resource Name (ARN) of the resource you want to allow. If you don't know the full ARN of the resource, use the aws:SourceArn global context condition key with wildcards (such as *) for the unknown portions of the ARN. You can also use a wildcard in the ARN if you want to specify multiple resources. For example, you can format the ARN as arn:aws:servicename::region-name::your AWS account ID:*.

Example: AppStream 2.0 service role cross-service confused deputy prevention

AppStream 2.0 assumes a service role using a variety of resource ARNs, which leads to a complicated conditional statement. We recommend using a wildcard resource type to prevent any unexpected AppStream 2.0 resources failures.

Example aws:SourceAccount Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } ] }
Example aws:SourceArn Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name}:{your AWS account ID}:*" } } } ] }

Example: AppStream 2.0 fleet machine role cross-service confused deputy prevention

Example aws:SourceAccount Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } ] }
Example aws:SourceArn Conditional:
Note

If you want to use one IAM role for multiple fleets, we recommend using the aws:SourceArn global context condition key with wildcards (*) to match multiple AppStream 2.0 fleet resources.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name}:{your AWS account ID}:fleet/{your fleet name}" } } } ] }

Example: AppStream 2.0 Elastic fleets session script Amazon S3 bucket policy cross-service confused deputy prevention

Example aws:SourceAccount Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "s3:GetObject", "Resource": "your session script S3 path", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } ] }
Example aws:SourceArn Conditional:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "appstream.amazonaws.com" ] }, "Action": "s3:GetObject", "Resource": "your session script S3 path", "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name}:{your AWS account ID}:fleet/{your fleet name}" } } } ] }

Example: AppStream 2.0 Application Amazon S3 bucket policy cross-service confused deputy prevention

When you store data in an Amazon S3 bucket, the bucket might be exposed to confused deputy issues. This can leave data such as Elastic fleets, app blocks, setup scripts, application icons, and session scripts vulnerable to malicious actors.

To prevent confused deputy issues, you can specify the aws:SourceAccount condition or the aws:SourceArn condition in the Amazon S3 bucket policy for ELASTIC-FLEET-EXAMPLE-BUCKET.

The resource policies below show how to prevent the confused deputy problem with either of the following:

  • The aws:SourceAccount with your AWS account ID

  • The global condition context key aws:SourceArn

AppStream 2.0 currently doesn't support confused deputy prevention for application icons. The service only supports VHD files and setup scripts. If you try to add additional conditions for application icons, the icons won't be displayed to end users.

In the following example, the bucket policy only allows AppStream 2.0 Elastic fleet resources in the owner's account to access ELASTIC_FLEET_EXAMPLE_BUCKET.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*" } ] }

You can also use the aws:SourceArn condition to limit resource access for specific resources.

Note

If you don’t know the full ARN of a resource, or you want to specify multiple resources, use the aws:SourceArn global context condition key with wildcards (*) for the unknown portions of the ARN.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws-partition}:appstream:{your region name}:{your AWS account ID}:app-block/*" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*" } ] }

You can use the aws:SourceArn and aws:SourceAccount conditions to limit the resource access for specific resources and accounts.

Note

If you don’t know the full ARN of a resources, or if you want to specify multiple resources, use the aws:SourceArn global context condition key with wildcards (*) for the unknown portions of the ARN.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name}:{your AWS account ID}:app-block/*" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*" } ] }