AWS controltower documentation change
Summary
Clarified opt-in Region behavior regarding identity replication and IAM data handling
Security assessment
Explains security implications of identity data replication in opt-in Regions but does not address a specific vulnerability.
Diff
diff --git a/controltower/latest/userguide/opt-in-region-considerations.md b/controltower/latest/userguide/opt-in-region-considerations.md index a5d8bf438..8c28d4df8 100644 --- a//controltower/latest/userguide/opt-in-region-considerations.md +++ b//controltower/latest/userguide/opt-in-region-considerations.md @@ -9 +9 @@ Although most AWS Regions are active by default for your AWS account, certain Re -The term _opt-in_ has a historical basis. Any AWS Regions introduced after March 20, 2019 are considered to be opt-in Regions. Opt-in Regions have higher security requirements than commercial Regions, regarding the sharing of IAM data through accounts that are active in opt-in Regions. All of the data managed through the IAM service is considered identity data, including users, groups, roles, policies, identity providers, their associated data (for example, X.509 signing certificates or context-specific credentials), and other account-level settings, such as password policy and the account alias. +The term _opt-in_ has a historical basis. Any AWS Regions introduced after March 20, 2019 are deployed as opt-in Regions. In an opt-in Region, your account is not enabled within that Region—and your identity is not replicated to the Region—unless you choose to opt into use of that Region. All of the data managed through the IAM service is considered identity data, including users, groups, roles, policies, identity providers, their associated data (for example, X.509 signing certificates or context-specific credentials), and other account-level settings, such as password policy and the account alias.