AWS solutions documentation change
Summary
Minor formatting changes including apostrophe/hyphen fixes and markdown link syntax adjustments. No substantive content changes.
Security assessment
Changes are limited to punctuation corrections (straight quotes to curly quotes), hyphen formatting, and markdown link syntax. The security-related content about TLS configuration, token expiration, and backups remains unchanged from previous recommendations.
Diff
diff --git a/solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md index affb1e8dd..fc93f925b 100644 --- a/solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md +++ b/solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md @@ -13 +13 @@ This section provides recommendations for configuring the solution after deploym -This solution doesn't enforce lifecycle configurations on the buckets it creates. We recommend the following: +This solution doesn’t enforce lifecycle configurations on the buckets it creates. We recommend the following: @@ -24 +24 @@ This solution doesn't enforce lifecycle configurations on the buckets it creates -This solution uses DynamoDB for several purposes (see [AWS services in this solution](./architecture-details.html#aws-services-in-this-solution)). The solution doesn't enable backups for the tables it creates. We recommend creating a backup of this feature for production deployments. See [Backing up a DynamoDB table](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Backup.Tutorial.html) and [Using AWS Backup for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/backuprestore_HowItWorksAWS.html) for details. +This solution uses DynamoDB for several purposes (see [AWS services in this solution](./architecture-details.html#aws-services-in-this-solution)). The solution doesn’t enable backups for the tables it creates. We recommend creating a backup of this feature for production deployments. See [Backing up a DynamoDB table](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Backup.Tutorial.html) and [Using AWS Backup for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/backuprestore_HowItWorksAWS.html) for details. @@ -32 +32 @@ The solution deploys a custom dashboard in CloudWatch to render charts from cust -Lambda logs are configured to never expire and API Gateway logs are configured with a 10-year expiry. You can update the expiry of the respective log groups to align with your enterprise's record retention policy. +Lambda logs are configured to never expire and API Gateway logs are configured with a 10-year expiry. You can update the expiry of the respective log groups to align with your enterprise’s record retention policy. @@ -36 +36 @@ Lambda logs are configured to never expire and API Gateway logs are configured w -The solution deploys a web UI and Edge Optimized API Gateway using CloudFront. CloudFront's domain doesn't enforce TLS v1.2 or higher certificates. We recommend creating a custom domain using [Amazon Route 53](https://aws.amazon.com/route53/), creating a certificate using [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/), or using an existing certificate if your organization has one. +The solution deploys a web UI and Edge Optimized API Gateway using CloudFront. CloudFront’s domain doesn’t enforce TLS v1.2 or higher certificates. We recommend creating a custom domain using [Amazon Route 53](https://aws.amazon.com/route53/), creating a certificate using [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/), or using an existing certificate if your organization has one. @@ -60 +60 @@ This solution allows integration with external identity providers that support S -To pass the user group information to knowledge base or vector stores in a RAG based architecture, you will need to map user groups from the external Idp to Amazon Cognito user groups. The solution provides an initial scaffolding [Lambda function](https://github.com/aws-solutions/generative-ai-application-builder-on-aws/tree/main/source/lambda/ext-idp-group-mapper) trigger to be mapped with the [pre token generation](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) phase. The Lambda function has the [`group_mapping.json`](https://github.com/aws-solutions/generative-ai-application-builder-on-aws/tree/main/source/lambda/ext-idp-group-mapper/config/group_mapping.json) file which must be updated to provide the group mappings. Refer to [Customizing user pool workflows with Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) for Lambda triggers supported by Amazon Cognito. +To pass the user group information to knowledge base or vector stores in a RAG based architecture, you will need to map user groups from the external Idp to Amazon Cognito user groups. The solution provides an initial scaffolding [Lambda function](https://github.com/aws-solutions/generative-ai-application-builder-on-aws/tree/main/source/lambda/ext-idp-group-mapper) trigger to be mapped with the [pre token generation](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html) phase. The Lambda function has the [group_mapping.json](https://github.com/aws-solutions/generative-ai-application-builder-on-aws/tree/main/source/lambda/ext-idp-group-mapper/config/group_mapping.json) file which must be updated to provide the group mappings. Refer to [Customizing user pool workflows with Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) for Lambda triggers supported by Amazon Cognito. @@ -78 +78 @@ Based on the use case for which you deploy the solution, review the following se - * **Cognito JSON Web Tokens (JWTs)** – The solution uses Amazon Cognito-issued JWTs to authenticate with the REST API endpoints. We configured the solution with a five-minute expiry for [ID tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html) and [access tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html). When a user logs out, their ability to generate new tokens is revoked ([refresh token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html) is revoked). However, until the expiry of the current token, any requests to the API endpoint will be successfully authenticated, since they have a valid token. Review the security considerations for your use case and adjust the token validity period. + * **Cognito JSON Web Tokens (JWTs)** \- The solution uses Amazon Cognito-issued JWTs to authenticate with the REST API endpoints. We configured the solution with a five-minute expiry for [ID tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html) and [access tokens](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html). When a user logs out, their ability to generate new tokens is revoked ([refresh token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html) is revoked). However, until the expiry of the current token, any requests to the API endpoint will be successfully authenticated, since they have a valid token. Review the security considerations for your use case and adjust the token validity period.