AWS odb high security documentation change
Summary
Added section about Oracle Database@AWS authentication/authorization in OCI and confused deputy mitigation using AWS STS
Security assessment
Explicitly addresses the confused deputy problem by describing AWS STS integration to authorize cross-service API calls. This is a known security concern in cloud architectures. The documentation of this mitigation pattern constitutes security-related content.
Diff
diff --git a/odb/latest/UserGuide/security-iam.md b/odb/latest/UserGuide/security-iam.md index a52697273..fc0d40117 100644 --- a//odb/latest/UserGuide/security-iam.md +++ b//odb/latest/UserGuide/security-iam.md @@ -5,3 +5 @@ -AudienceAuthenticating with identitiesManaging access using policies - -Oracle Database@AWS is in preview release and is subject to change. +AudienceAuthenticating with identitiesManaging access using policiesOracle Database@AWS authentication and authorization in OCI @@ -26,0 +25,2 @@ AWS Identity and Access Management (IAM) is an AWS service that helps an adminis + * Oracle Database@AWS authentication and authorization in OCI + @@ -145,0 +146,4 @@ When multiple types of policies apply to a request, the resulting permissions ar +## Oracle Database@AWS authentication and authorization in OCI + +When you use AWS APIs to create resources for Oracle Database@AWS, those resources logically reside in your inked Oracle Cloud Infrastructure (OCI) tenancy. To deploy these resources, AWS communicates with OCI APIs on your behalf. To mitigate the confused deputy problem, OCI and Oracle Database@AWS use AWS STS as a trusted entity and forward access sessions to authorize your intent to use OCI APIs in your linked tenancy. Consequently, events are recorded for the `sts:getCallerIdentity` API from OCI IP space in your AWS CloudTrail trails and events history. Expect these events when you use Oracle Database@AWS APIs. +