AWS rolesanywhere medium security documentation change
Summary
Added new section 'Invalidating a IAM Roles Anywhere session' with certificate revocation procedures
Security assessment
Introduces documentation about revoking certificate-based access through CRL management, which is a security control mechanism for credential revocation
Diff
diff --git a/rolesanywhere/latest/userguide/security_iam_troubleshoot.md b/rolesanywhere/latest/userguide/security_iam_troubleshoot.md index 2ceb59ce1..a195bea5b 100644 --- a//rolesanywhere/latest/userguide/security_iam_troubleshoot.md +++ b//rolesanywhere/latest/userguide/security_iam_troubleshoot.md @@ -5 +5 @@ -I am not authorized to perform an action in IAM Roles AnywhereI am not authorized to perform iam:PassRoleI want to view my access keysI'm an administrator and want to allow others to access IAM Roles AnywhereI want to allow people outside of my AWS account to access my IAM Roles Anywhere resources +I am not authorized to perform an action in IAM Roles AnywhereI am not authorized to perform iam:PassRoleI want to view my access keysI'm an administrator and want to allow others to access IAM Roles AnywhereI want to allow people outside of my AWS account to access my IAM Roles Anywhere resourcesInvalidating a IAM Roles Anywhere session @@ -22,0 +23,2 @@ Use the following information to help you diagnose and fix common issues that yo + * Invalidating a IAM Roles Anywhere session + @@ -88,0 +91,25 @@ To learn more, consult the following: +## Invalidating a IAM Roles Anywhere session + +You can invalidate a IAM Roles Anywhere session if you need to revoke access for certificates issued by AWS Private Certificate Authority (AWS Private CA) or another certificate authority. + +###### To invalidate a IAM Roles Anywhere session + + 1. To get an updated certificate revocation list (CRL), do one of the following: + + * If you use AWS Private CA, see [Revoking IAM role session permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html#revoke-session). + + * If you use a different certificate authority: + + 1. Follow their documentation for revoking certificate access and invalidating sessions. + + 2. Request a new CRL from your certificate authority. + + 2. After you get your updated CRL, import it using one of the following: + + * The [ImportCrl](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_ImportCrl.html) API operation + + * The [import-crl](https://docs.aws.amazon.com/cli/latest/reference/rolesanywhere/import-crl.html) AWS CLI command + + + +