AWS singlesignon documentation change
Summary
Grammar improvements in permission set documentation (e.g. 'that's' → 'that is') and clarification of role creation recommendations
Security assessment
Changes focus on language clarity rather than security content. The recommendation to include backup IAM roles was pre-existing security best practice guidance, not new security documentation.
Diff
diff --git a/singlesignon/latest/userguide/referencingpermissionsets.md b/singlesignon/latest/userguide/referencingpermissionsets.md index aaab28b72..e7665dd8a 100644 --- a//singlesignon/latest/userguide/referencingpermissionsets.md +++ b//singlesignon/latest/userguide/referencingpermissionsets.md @@ -62 +62 @@ For example, if you create an `EKSAccess` permission set and reference the corre -If you reference role ARNs for permission sets in an `aws-auth ConfigMap` for Amazon EKS cluster or in key policies for AWS KMS keys, we recommend that you also include at least one role that you create in IAM. The role must allow you to access the Amazon EKS cluster or manage the AWS KMS key policy. The permission set must be able to assume this role. That way, if the role ARN for a permission set changes, you can update the reference to the ARN in the `aws-auth ConfigMap` or AWS KMS key policy. The next section provides an example of how you can create a trust policy for a role that's created in IAM. The role can be assumed only by an `AdministratorAccess` permission set. +If you reference role ARNs for permission sets in an `aws-auth ConfigMap` for Amazon EKS cluster or in key policies for AWS KMS keys, we recommend that you also include at least one role that you create in IAM. The role must allow you to access the Amazon EKS cluster or manage the AWS KMS key policy. The permission set must be able to assume this role. That way, if the role ARN for a permission set changes, you can update the reference to the ARN in the `aws-auth ConfigMap` or AWS KMS key policy. The next section provides an example of how you can create a trust policy for a role that is created in IAM. The role can be assumed only by an `AdministratorAccess` permission set. @@ -69 +69 @@ If you reference role ARNs for permission sets in an `aws-auth ConfigMap` for Am -Following is an example of a custom trust policy that provides an `AdministratorAccess` permission set with access to a role that's created in IAM. The key elements of this policy include: +Following is an example of a custom trust policy that provides an `AdministratorAccess` permission set with access to a role that is created in IAM. The key elements of this policy include: @@ -71 +71 @@ Following is an example of a custom trust policy that provides an `Administrator - * The Principal element of this trust policy specifies an AWS account principal. In this policy, principals in the AWS account `111122223333` with `sts:AssumeRole` permissions can assume the role that's created in IAM. + * The Principal element of this trust policy specifies an AWS account principal. In this policy, principals in the AWS account `111122223333` with `sts:AssumeRole` permissions can assume the role that is created in IAM.