Cross-service confused deputy prevention
A confused deputy is an entity (a service or an account) that is coerced by a different entity to perform an action. This type of impersonation can happen cross-account and cross-service.
To prevent confused deputies, AWS provides tools that help you protect your data for all services using service principals that have been given access to resources in your AWS account. This section focuses on cross-service confused deputy prevention specific to Amazon Transcribe; however, you can learn more about this topic in the confused deputy problem section of the IAM User Guide.
To limit the permissions IAM gives to Amazon Transcribe to access your
resources, we recommend using the global condition context keys aws:SourceArn and aws:SourceAccount in your resource policies.
If you use both of these global condition context keys, and the aws:SourceArn
value contains the AWS account ID, the aws:SourceAccount value
and the AWS account in aws:SourceArn must use the same
AWS account ID when used in the same policy statement.
If you want only one resource to be associated with the cross-service access, use
aws:SourceArn. If you want to associate any resource in that AWS account with
cross-service access, use aws:SourceAccount.
Note
The most effective way to protect against the confused deputy problem is to use the
aws:SourceArn global condition context key with the full ARN of
the resource. If you don’t know the full ARN, or if you're specifying multiple resources, use the
aws:SourceArn global context condition key with wildcards (*) for the
unknown portions of the ARN. For example,
arn:aws:transcribe::.123456789012:*
For an example of an assume role policy that shows how you can prevent a confused deputy issue, see Confused deputy prevention policy.
