AWS Security ChangesHomeSearch

AWS decision-guides documentation change

Service: decision-guides · 2025-05-16 · Documentation low

File: decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md

Summary

Updated guidance for IAM Roles Anywhere scope (removed multi-cloud references), expanded developer authentication options (added VPC Lattice, API Gateway with SigV4, Cognito, Verified Permissions), and added new security-related service recommendations and blog post reference.

Security assessment

The changes add documentation for security features like service-to-service authentication (VPC Lattice, API Gateway SigV4), cross-cloud authorization (Cognito, Verified Permissions), and link to a security blog post about machine-to-machine authentication. While these updates enhance security guidance, there is no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md b/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md
index 0325749f3..12e623ffa 100644
--- a//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md
+++ b//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md
@@ -78 +78 @@ Cloud/Identity administrator |  Remove unused permissions and drive towards leas
-Cloud/Identity administrator |  Grant AWS access to on-premises or multi-cloud workloads. |  [IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) (requires PKI, the ability to issue and manage certificates) |   
+Cloud/Identity administrator |  Grant AWS access to on-premises workloads. |  [IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) (requires PKI, the ability to issue and manage certificates) |   
@@ -80 +80,3 @@ Cloud/Identity administrator |  Grant AWS access to an IoT device. |  [AWS IoT D
-Developer |  Grant AWS access to code on another cloud platform, such as GitHub. |  [AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) |   
+Developer |  Grant AWS access to code in any external-to-AWS cloud environment. |  [AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) |   
+Developer |  Perform service-to-service authentication and authorization in my own application running on AWS. |  [Amazon VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html) |  [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) with [AWS Signature Version 4 authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html)  
+Developer |  Perform service-to-service authentication and authorization in my own application running on AWS as well as other cloud environments. |  [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html) | [Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html)  
@@ -130 +132 @@ The following image shows unused access findings in the IAM Access Analyzer cons
-IAM Roles Anywhere extends the capabilities of IAM to workloads running outside AWS. Use it to get temporary security credentials for on-premises, hybrid, and multicloud workloads, and to use the same IAM policies and IAM roles that you use for AWS workloads.
+IAM Roles Anywhere extends the capabilities of IAM to on-premises and hybrid cloud workloads. Use it to get temporary security credentials and to use the same IAM policies and IAM roles that you use for AWS workloads.
@@ -155,0 +158,4 @@ This section suggests additional services you should consider.
+  * [Amazon VPC Lattice](https://aws.amazon.com/vpc/lattice) \- Lets you connect, secure, and monitor services and resources for your application.
+
+  * [Amazon API Gateway](https://aws.amazon.com/api-gateway) \- Lets you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs.
+
@@ -201,0 +208,2 @@ AWS Security Blog posts with use case specific guidance:
+  * [Approaches for authenticating external applications in a machine-to-machine scenario](https://aws.amazon.com/blogs/security/approaches-for-authenticating-external-applications-in-a-machine-to-machine-scenario/)
+