Prevent cross-account confused deputies

see https://docs.aws.amazon.com/transcribe/latest/dg/security-iam-confused-deputy.html
aws · Dec 12, 2023 · 66d02be · 66d02be
1 parent f128851
commit 66d02be
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml b/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
@@ -537,6 +537,10 @@ Resources:
             Effect: Allow
             Principal:
               Service: cloudformation.amazonaws.com
+            Condition:
+              StringEquals:
+                aws:SourceAccount:
+                  Ref: AWS::AccountId
         Version: '2012-10-17'
       ManagedPolicyArns:
         Fn::If: