AWS amazonq medium security documentation change
Summary
Added detailed instructions for including tenantId in IAM role tags, provided code examples for decoding idToken, and updated AssumeRole API call parameters with tenantId context
Security assessment
The change introduces mandatory tenantId tagging for IAM roles and explicit context propagation in AssumeRole calls. This enforces tenant isolation and prevents privilege escalation in multi-tenant scenarios by binding roles to specific external identities. The ExternalId tag usage helps prevent confused deputy problems.
Diff
diff --git a/amazonq/latest/qbusiness-ug/isv-retrieving-data.md b/amazonq/latest/qbusiness-ug/isv-retrieving-data.md index e49b56bc1..b3538013a 100644 --- a//amazonq/latest/qbusiness-ug/isv-retrieving-data.md +++ b//amazonq/latest/qbusiness-ug/isv-retrieving-data.md @@ -25 +25 @@ The ISV doesn't need to change their existing login flow. - 4. `idc_application_arn` — This is the Amazon Q Business application ID that's provided by the customer to the ISV. + 4. `idc_application_arn` — This is the Amazon Q Business DataAccessor IAM Identity Center application ID that's provided by the customer to the ISV. @@ -31 +31,6 @@ The ISV doesn't need to change their existing login flow. - 5. The ISV application calls the `CreateTokenWithIAM` API operation to get a token with an authorization code. The ISV needs to use the AWS Identity and Access Management (IAM) role that they created during the onboarding process. + 5. The ISV application calls the `CreateTokenWithIAM` API operation to get a token with an authorization code. The ISV needs to use the AWS Identity and Access Management (IAM) role that they created during the onboarding process with `tenantId` information in the tags like the following: + + aws sts assume-role \ + --role-arn ${your_iam_role} \ + --role-session-name test-session \ + --tags Key=qbusiness-dataaccessor:ExternalId,Value=${isv tenantId} @@ -39 +44,9 @@ The ISV doesn't need to change their existing login flow. - 6. Get the idToken field from the response of `CreateTokenWithIAM`. Then, decode the idToken and extract `"sts:identity_context"` field from it. + 6. Get the `idToken` field from the response of `CreateTokenWithIAM`. Then, decode the `idToken` and extract `"sts:identity_context"` field from it. + +Using command line: + + export ID_TOKEN_I = "${response_json_of_create-token-with-iam}" + export ID_CONTEXT=`jq -R 'split(".") | .[1] | @base64d | fromjson' <<< "$ID_TOKEN_I" | jq -r '."sts:identity_context"'` + echo "ID_CONTEXT=$ID_CONTEXT\n" + +Using Python: @@ -50 +63 @@ The ISV doesn't need to change their existing login flow. - 7. Call the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API with the extracted `sts:identity_context`. + 7. Call the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API with the extracted `sts:identity_context` and the ISV `tenantId` information. @@ -55 +68,2 @@ The ISV doesn't need to change their existing login flow. - --provided-contexts '[{"ProviderArn": "arn:aws:iam::aws:contextProvider/IdentityCenter", "ContextAssertion": "${value from sts:identity_context}"}]' + --provided-contexts '[{"ProviderArn": "arn:aws:iam::aws:contextProvider/IdentityCenter", "ContextAssertion": "${value from sts:identity_context}"}]' \ + --tags Key=qbusiness-dataaccessor:ExternalId,Value=${isv tenantId}