AWS Security ChangesHomeSearch

AWS kendra high security documentation change

Service: kendra · 2025-03-05 · Security-related high

File: kendra/latest/dg/data-source-zendesk.md

Summary

Updated Zendesk OAuth 2.0 authentication setup with detailed step-by-step instructions for creating OAuth clients, generating access tokens via implicit grant flow, and secure token storage guidance.

Security assessment

The changes emphasize secure credential management by adding explicit steps for OAuth client configuration with 'read' scope limitations, instructions to securely store client secrets/access tokens, and retained warnings about credential rotation/reuse. These are security best practices for authentication handling.

Diff

diff --git a/kendra/latest/dg/data-source-zendesk.md
index d4ee98c0e..6d89bc681 100644
--- a/kendra/latest/dg/data-source-zendesk.md
+++ b/kendra/latest/dg/data-source-zendesk.md
@@ -61 +61 @@ Before you can use Amazon Kendra to index your Zendesk data source, make these c
-  * Configured an OAuth 2.0 token containing a client ID, client secret, user name, and password. The OAuth 2.0 token is required to use as your authentication credentials. See [Zendesk documentation on configuring OAuth 2.0 tokens](https://developer.zendesk.com/documentation/ticketing/working-with-oauth/creating-and-using-oauth-tokens-with-the-api/) for more information.
+  * Set up 0Auth 2.0 Authentication :
@@ -63 +63 @@ Before you can use Amazon Kendra to index your Zendesk data source, make these c
-###### Note
+    1. In Admin Center, navigate to Apps and integrations > APIs > Zendesk API.
@@ -65 +65,9 @@ Before you can use Amazon Kendra to index your Zendesk data source, make these c
-We recommend that you regularly refresh or rotate your credentials and secret. Provide only the necessary access level for your own security. We do **not** recommend that you re-use credentials and secrets across data sources, and connector versions 1.0 and 2.0 (where applicable).
+    2. Select the OAuth Clients tab and click "Add OAuth client".
+
+    3. Configure the folllwing OAuth client details: Set Client Name and Description, Set Client Kind to "Confidential", Add appropriate Redirect URLs, Save and securely store the generated Client Secret.
+
+    4. Ensure the OAuth client has the required "read" scope (or "read write" if you need write access). 
+
+    5. Generate an Access Token using the implicit grant flow: 
+
+       * In a browser, navigate to: `https://{subdomain}.zendesk.com/oauth/authorizations/new?response_type=token&client_id=<your_client_id>&scope=read`
@@ -67 +75 @@ We recommend that you regularly refresh or rotate your credentials and secret. P
-  * Added the following OAuth 2.0 scope:
+       * Authenticate and authorize the application when prompted. 
@@ -69 +77,7 @@ We recommend that you regularly refresh or rotate your credentials and secret. P
-    * read
+       * After authorization, you'll be redirected to a URL containing the access token in the fragment (after the #). Extract this token. 
+
+    6. Store the generated access token securely. This is the "Implicit grant token" you'll use for Kendra integration.
+
+  * ###### Note
+
+We recommend that you regularly refresh or rotate your credentials and secret. Provide only the necessary access level for your own security. We do **not** recommend that you re-use credentials and secrets across data sources, and connector versions 1.0 and 2.0 (where applicable).
@@ -140,3 +154 @@ You can choose to configure or edit your **User access control** settings under
-      1. Enter following information in the **Create an AWS Secrets Manager secret window** :
-
-        1. **Secret name** —A name for your secret. The prefix ‘AmazonKendra-Zendesk-’ is automatically added to your secret name.
+      1. Create a new secret with the following structure:
@@ -144 +156,4 @@ You can choose to configure or edit your **User access control** settings under
-        2. For **Client ID** , **Client secret** , **User name** , **Password** —Enter the authentication credential values configured in Zendesk.
+                        {
+                     "hostUrl": "https://yoursubdomain.zendesk.com/",
+                     "accessToken": "your_implicit_grant_access_token"
+            }