AWS solutions documentation change
Summary
Minor typographical corrections (apostrophe formatting) and whitespace fixes throughout the document. No substantive content changes to security practices.
Security assessment
Changes consist of punctuation formatting (straight vs. curly apostrophes) and whitespace cleanup. Existing security documentation about IAM roles, CloudFront OAI, Cognito groups, and TLS recommendations remains unchanged in substance.
Diff
diff --git a/solutions/latest/unified-profiles-for-travelers-and-guests-on-aws/security-1.md b/solutions/latest/unified-profiles-for-travelers-and-guests-on-aws/security-1.md index 784404f59..6163c3935 100644 --- a/solutions/latest/unified-profiles-for-travelers-and-guests-on-aws/security-1.md +++ b/solutions/latest/unified-profiles-for-travelers-and-guests-on-aws/security-1.md @@ -13 +13 @@ When you build systems on AWS infrastructure, security responsibilities are shar -AWS IAM roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution's Lambda functions access to create Regional resources. +AWS IAM roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s Lambda functions access to create Regional resources. @@ -17 +17 @@ AWS IAM roles allow customers to assign granular access policies and permissions -This solution deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution's website bucket contents. For more information, see [Restricting Access to Amazon S3 Content by Using an Origin Access Identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the _Amazon CloudFront Developer Guide_. +This solution deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, see [Restricting Access to Amazon S3 Content by Using an Origin Access Identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the _Amazon CloudFront Developer Guide_. @@ -31 +31 @@ Every request to the Unified Customer Profile for Travelers and Guests on AWS ma -One of the tasks of the post-processing step includes filtering all traveler data based on the end-user's permission. Filters can be applied to traveler data, as well as each individual business object. +One of the tasks of the post-processing step includes filtering all traveler data based on the end-user’s permission. Filters can be applied to traveler data, as well as each individual business object. @@ -33 +33 @@ One of the tasks of the post-processing step includes filtering all traveler dat -Permissions are built using role-based access, and managed with Amazon Cognito user groups at the domain level. By default, users don't have access to any traveler data. Each new Unified Customer Profile domain has an admin group created by default for convenience. All other groups must be manually created for security and privacy. +Permissions are built using role-based access, and managed with Amazon Cognito user groups at the domain level. By default, users don’t have access to any traveler data. Each new Unified Customer Profile domain has an admin group created by default for convenience. All other groups must be manually created for security and privacy. @@ -78 +78 @@ The role description must contain a string pattern that describes the permission - hotel_booking/*?hotel_code in [BOS1, BOS2, BOS3] + hotel_booking/*?hotel_code in [BOS1, BOS2, BOS3] @@ -112 +112 @@ These features include: - * SaveRuleSet and ActivateRuleSet –SaveRuleSet saves a draft rule set that has been modified. ActivateRuleSet makes that rule set active for rule-based matching. + * SaveRuleSet and ActivateRuleSet SaveRuleSet saves a draft rule set that has been modified. ActivateRuleSet makes that rule set active for rule-based matching. @@ -123 +123 @@ Each feature has a binary representation associated to it, known as the Permissi -For example, let's take a look at the following permission set: +For example, let’s take a look at the following permission set: @@ -162 +162 @@ Here each permission has a single bit set as 1. A user can access a feature if t -For each Cognito group starting with prefix `app`, you will see a hex value in the group name. Converting the hex value into a binary string will result in a set of 1's and 0's. The positions of 1's indicate which features are accessible by the group. +For each Cognito group starting with prefix `app`, you will see a hex value in the group name. Converting the hex value into a binary string will result in a set of 1’s and 0’s. The positions of 1’s indicate which features are accessible by the group. @@ -273 +273 @@ To create your own groups for providing feature level access: - 6. Hex code value – omit the base prefix (0x) while using big-endian (MSB first), and do not use padding. The value should not exceed the width allocated (16bits or 4 hex characters). + 6. Hex code value - omit the base prefix (0x) while using big-endian (MSB first), and do not use padding. The value should not exceed the width allocated (16bits or 4 hex characters). @@ -307 +307 @@ We recommend the following security-related configurations in your AWS account f - * The solution frontend is hosted on CloudFront and using the default URL created by CloudFront. We recommend you setup a custom domain with a dedicated certificate in order to impose the TLS version that meets your security team's requirement. + * The solution frontend is hosted on CloudFront and using the default URL created by CloudFront. We recommend you setup a custom domain with a dedicated certificate in order to impose the TLS version that meets your security team’s requirement.