Amazon AppStream 2.0 Cross-Service Confused Deputy Prevention - Amazon AppStream 2.0

Amazon AppStream 2.0 Cross-Service Confused Deputy Prevention

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action coerces a more-privileged entity to perform the action. In AWS, cross-service impersonation can leave account resources vulnerable to the confused deputy problem. Cross-service impersonation occurs when one service (the calling service) calls another service (the called service). The calling service can manipulate the called service to use its permissions to act on a customer's resources in ways that the calling service doesn't have permission to perform for itself. To prevent this, AWS provides tools that helps you protect your data for all services with service principals that have access to resources in your account.

We recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in resource policies to limit permissions when accessing these resources. The following guidelines detail recommendations and requirements when you use these keys to protect your resources:

  • Use aws:SourceArn if you want only one resource associated with cross-service access.

  • Use aws:SourceAccount if you want to allow any resource in the specified account associated with cross-service use.

  • If the aws:SourceArn key doesn't contain an account ID, you must use both global condition context keys (aws:SourceArn and aws:SourceAccount) to limit permissions.

  • If you use both global condition context keys and the aws:SourceArn value contains an account ID, the aws:SourceAccount key must use the same account ID when used in the same policy statement.

The most effective way to protect against the confused deputy problem is to use the exact Amazon Resource Name (ARN) of the resource you want to allow. If you don't know the full ARN of the resource, use the aws:SourceArn global context condition key with wildcards (such as *) for the unknown portions of the ARN. You can also use a wildcard in the ARN if you want to specify multiple resources. For example, you can format the ARN as arn:aws:servicename::region-name::your AWS account ID:*.

Topics