Example: AppStream 2.0 Application Amazon S3 bucket policy cross-service confused deputy prevention
When you store data in an Amazon S3 bucket, the bucket might be exposed to confused deputy issues. This can leave data such as Elastic fleets, app blocks, setup scripts, application icons, and session scripts vulnerable to malicious actors.
To prevent confused deputy issues, you can specify the aws:SourceAccount
condition or the aws:SourceArn condition in the Amazon S3 bucket policy for
ELASTIC-FLEET-EXAMPLE-BUCKET.
The resource policies below show how to prevent the confused deputy problem with either of the following:
-
The
aws:SourceAccountwith your AWS account ID -
The global condition context key
aws:SourceArn
AppStream 2.0 currently doesn't support confused deputy prevention for application icons. The service only supports VHD files and setup scripts. If you try to add additional conditions for application icons, the icons won't be displayed to end users.
In the following example, the bucket policy only allows AppStream 2.0 Elastic fleet resources
in the owner's account to access ELASTIC_FLEET_EXAMPLE_BUCKET.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*" } ] }
You can also use the aws:SourceArn condition to limit resource access for
specific resources.
Note
If you don’t know the full ARN of a resource, or you want to specify multiple
resources, use the aws:SourceArn global context condition key with
wildcards (*) for the unknown portions of the ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws-partition}:appstream:{your region name}:{your AWS account ID}:app-block/*" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*" } ] }
You can use the aws:SourceArn and aws:SourceAccount
conditions to limit the resource access for specific resources and accounts.
Note
If you don’t know the full ARN of a resources, or if you want to specify multiple
resources, use the aws:SourceArn global context condition key with
wildcards (*) for the unknown portions of the ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*", "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:{aws partition}:appstream:{your region name}:{your AWS account ID}:app-block/*" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } }, { "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*" } ] }
