AWS singlesignon documentation change
Summary
Expanded explanation of trusted identity propagation and identity context
Security assessment
Added detailed documentation about identity context propagation for authorization decisions, which is a security-related feature. No specific vulnerability addressed.
Diff
diff --git a/singlesignon/latest/userguide/trustedidentitypropagation-overview.md b/singlesignon/latest/userguide/trustedidentitypropagation-overview.md index ceb6d875f..102cc207e 100644 --- a//singlesignon/latest/userguide/trustedidentitypropagation-overview.md +++ b//singlesignon/latest/userguide/trustedidentitypropagation-overview.md @@ -9 +9,3 @@ Benefits of trusted identity propagationEnabling trusted identity propagationHow -Trusted identity propagation enables AWS services to grant permissions based on user attributes such as group associations, add context to an IAM role identifying the user requesting access to AWS resources, and propagate this context to other AWS services. +Trusted identity propagation is a feature of IAM Identity Center that enables administrators of AWS services to grant permissions based on user attributes such as group associations. With trusted identity propagation, identity context is added to an IAM role to identify the user requesting access to AWS resources. This context is propagated to other AWS services. + +Identity context comprises information that AWS services use to make authorization decisions when they receive access requests. This information includes metadata that identifies the requester (for example, an IAM Identity Center user), the AWS service to which access is requested (for example, Amazon Redshift), and the scope of access (for example, read only access). The receiving AWS service uses this context, and any permissions assigned to the user, to authorize access to its resources. @@ -13 +15 @@ Trusted identity propagation enables AWS services to grant permissions based on -Trusted identity propagation is a feature of IAM Identity Center that allows the administrators of AWS services to grant permissions to resources, such as data, using the corporate identities of your workforce. In addition, they can audit who accessed what data by looking at service logs or AWS CloudTrail. The administrators of AWS services that support trusted identity propagation may reach out to you to request you enable the feature in IAM Identity Center. +Trusted identity propagation allows the administrators of AWS services to grant permissions to resources, such as data, using the corporate identities of your workforce. In addition, they can audit who accessed what data by looking at service logs or AWS CloudTrail. If you're an IAM Identity Center administrator, you may be asked by other AWS service administrators to enable trusted identity propagation.