AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-03-30 · Documentation low

File: solutions/latest/connected-mobility-solution-on-aws/backstage-module.md

Summary

Expanded authentication/authorization details including RBAC implementation with default-deny policy and super user management

Security assessment

Adds documentation about security features (RBAC plugin, default-deny authorization model) but does not indicate a specific security vulnerability being addressed

Diff

diff --git a/solutions/latest/connected-mobility-solution-on-aws/backstage-module.md b/solutions/latest/connected-mobility-solution-on-aws/backstage-module.md
index 66f32d537..35d2b78b6 100644
--- a/solutions/latest/connected-mobility-solution-on-aws/backstage-module.md
+++ b/solutions/latest/connected-mobility-solution-on-aws/backstage-module.md
@@ -9 +9,3 @@
-CMS on AWS uses Backstage as the preferred approach for deploying its modules. The Backstage module is deployed and configured to deploy within the provided [VPC](./virtual-private-cloud-vpc-1.html) and requires an Amazon Route 53 hosted zone. This hosted zone is specified in the deployment parameters as the host for the Backstage portal (see [Working with hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html)). The Backstage module is also protected by requiring sign-in of authenticated users. Authentication is done by communicating with the identity provider configured by using the [Auth Setup](./cms-on-aws-modules-and-services.html#auth-setup) module. Authenticated users can then deploy CMS on AWS modules directly from the Backstage portal (see [Deploy CMS Modules via Backstage](./deploying-cms-on-aws-modules-via-backstage.html)).
+CMS on AWS uses Backstage as the preferred approach for deploying its modules. The Backstage module is deployed and configured to deploy within the provided [VPC](./virtual-private-cloud-vpc-1.html) and requires an Amazon Route53 hosted zone. This hosted zone is specified in the deployment parameters as the host for the Backstage portal (see [Working with hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html)).
+
+The Backstage module also provides both authentication and authorization by default. Authentication is accomplished by communicating with the identity provider configured via the [Auth Setup](./cms-on-aws-modules-and-services.html#auth-setup) module. Authenticated users can then log in to the Backstage portal. Authorization is implemented into Backstage via the [Backstage community RBAC plugin](https://github.com/backstage/community-plugins/tree/main/workspaces/rbac/plugins). Authorization is configured to deny by default. All permissions can be managed via the RBAC front-end, where they can be grouped into roles and assigned to users. On initial deployment, only a single super user is created, which will be the starting point for granting further permissions to other users.