AWS IAM medium security documentation change
Summary
Updated OIDC federation documentation to clarify use cases and replaced resource links. Added explicit guidance about using external IDs for secure cross-account access.
Security assessment
The change adds a link to AWS Security Blog guidance about using external IDs, which is a security best practice to prevent confused deputy attacks in cross-account scenarios. This directly addresses security implications of identity federation.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_providers_oidc.md b/IAM/latest/UserGuide/id_roles_providers_oidc.md index 26676b8c3..a6798e091 100644 --- a//IAM/latest/UserGuide/id_roles_providers_oidc.md +++ b//IAM/latest/UserGuide/id_roles_providers_oidc.md @@ -15 +15 @@ With OIDC federation, you don't need to create custom sign-in code or manage you -For most scenarios, we recommend that you use [Amazon Cognito](https://aws.amazon.com/cognito/) because it acts as an identity broker and does much of the federation work for you. For details, see the following section, [Amazon Cognito for mobile apps](./id_federation_common_scenarios.html#id_roles_providers_oidc_cognito). +OIDC federation supports both machine-to-machine authentication (such as CI/CD pipelines, automated scripts, and serverless applications) and human user authentication. For human user authentication scenarios where you need to manage user sign-up, sign-in, and user profiles, consider using [Amazon Cognito](https://aws.amazon.com/cognito/) as an identity broker. For details about using Amazon Cognito with OIDC, see [Amazon Cognito for mobile apps](./id_federation_common_scenarios.html#id_roles_providers_oidc_cognito). @@ -42,3 +42 @@ The following resources can help you learn more about OIDC federation: - * [ Automating OpenID Connect-Based AWS IAM Web Identity Roles with Microsoft Entra ID](https://aws.amazon.com/blogs/apn/automating-openid-connect-based-aws-iam-web-identity-roles-with-microsoft-entra-id/) on the _AWS Partner Network (APN) blog_ walks through how to authenticate automated background processes or applications running outside of AWS using machine-to-machine OIDC authorization. - - * The article [Web Identity Federation with Mobile Applications](http://aws.amazon.com/articles/4617974389850313) discusses OIDC federation and shows an example of how to use OIDC federation to get access to content in Amazon S3. + * [How to use external ID when granting access to your AWS resources](https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/) on the _AWS Security Blog_ provides guidance on securely configuring cross-account access and external identity federation.