AWS decision-guides documentation change
Summary
Updated guidance for IAM Roles Anywhere scope (removed multi-cloud references), expanded developer authentication options (added VPC Lattice, API Gateway with SigV4, Cognito, Verified Permissions), and added new security-related service recommendations and blog post reference.
Security assessment
The changes add documentation for security features like service-to-service authentication (VPC Lattice, API Gateway SigV4), cross-cloud authorization (Cognito, Verified Permissions), and link to a security blog post about machine-to-machine authentication. While these updates enhance security guidance, there is no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md b/decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md index 0325749f3..12e623ffa 100644 --- a//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md +++ b//decision-guides/latest/identity-on-aws-how-to-choose/identity-on-aws-how-to-choose.md @@ -78 +78 @@ Cloud/Identity administrator | Remove unused permissions and drive towards leas -Cloud/Identity administrator | Grant AWS access to on-premises or multi-cloud workloads. | [IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) (requires PKI, the ability to issue and manage certificates) | +Cloud/Identity administrator | Grant AWS access to on-premises workloads. | [IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) (requires PKI, the ability to issue and manage certificates) | @@ -80 +80,3 @@ Cloud/Identity administrator | Grant AWS access to an IoT device. | [AWS IoT D -Developer | Grant AWS access to code on another cloud platform, such as GitHub. | [AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) | +Developer | Grant AWS access to code in any external-to-AWS cloud environment. | [AWS Security Token Service API Reference](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) | +Developer | Perform service-to-service authentication and authorization in my own application running on AWS. | [Amazon VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html) | [Amazon API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html) with [AWS Signature Version 4 authentication](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) +Developer | Perform service-to-service authentication and authorization in my own application running on AWS as well as other cloud environments. | [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html) | [Amazon Verified Permissions](https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/what-is-avp.html) @@ -130 +132 @@ The following image shows unused access findings in the IAM Access Analyzer cons -IAM Roles Anywhere extends the capabilities of IAM to workloads running outside AWS. Use it to get temporary security credentials for on-premises, hybrid, and multicloud workloads, and to use the same IAM policies and IAM roles that you use for AWS workloads. +IAM Roles Anywhere extends the capabilities of IAM to on-premises and hybrid cloud workloads. Use it to get temporary security credentials and to use the same IAM policies and IAM roles that you use for AWS workloads. @@ -155,0 +158,4 @@ This section suggests additional services you should consider. + * [Amazon VPC Lattice](https://aws.amazon.com/vpc/lattice) \- Lets you connect, secure, and monitor services and resources for your application. + + * [Amazon API Gateway](https://aws.amazon.com/api-gateway) \- Lets you create, publish, maintain, monitor, and secure REST, HTTP, and WebSocket APIs. + @@ -201,0 +208,2 @@ AWS Security Blog posts with use case specific guidance: + * [Approaches for authenticating external applications in a machine-to-machine scenario](https://aws.amazon.com/blogs/security/approaches-for-authenticating-external-applications-in-a-machine-to-machine-scenario/) +