Resource policies lacked a way of restricting service access to only your
own account, allowing an attacker to leverage a service to potentially access
your resources. Originally discovered by Dan Peebles and presented at re:Invent
in 2018, this issue did not gain enough attention to be fixed until Shir Tamari
and Ami Luttwak from Wiz presented it at Black Hat 2021.
Update existing vulnerable IAM policies by adding scoping condition.
No tracked CVEs