AWS singlesignon medium security documentation change
Summary
Minor grammatical changes (contraction replacements) and clarification about privilege escalation prevention in management account context
Security assessment
The change explicitly states that using the signed-in role instead of the service-linked role in the management account prevents privilege escalation. This addresses a security best practice by limiting potential escalation paths.
Diff
diff --git a/singlesignon/latest/userguide/using-service-linked-roles.md b/singlesignon/latest/userguide/using-service-linked-roles.md index d6c54e220..f321460e8 100644 --- a//singlesignon/latest/userguide/using-service-linked-roles.md +++ b//singlesignon/latest/userguide/using-service-linked-roles.md @@ -277 +277 @@ You must configure permissions to allow an IAM entity (such as a user, group, or -You don't need to manually create a service-linked role. Once enabled, IAM Identity Center creates a service-linked role in all accounts within the organization in AWS Organizations. IAM Identity Center also creates the same service-linked role in every account that is subsequently added to your organization. This role allows IAM Identity Center to access each account's resources on your behalf. +You do not need to manually create a service-linked role. Once enabled, IAM Identity Center creates a service-linked role in all accounts within the organization in AWS Organizations. IAM Identity Center also creates the same service-linked role in every account that is subsequently added to your organization. This role allows IAM Identity Center to access each account's resources on your behalf. @@ -281 +281 @@ You don't need to manually create a service-linked role. Once enabled, IAM Ident - * If you're signed in to the AWS Organizations management account, it uses your currently signed-in role and not the service-linked role. This prevents the escalation of privileges. + * If you are signed in to the AWS Organizations management account, it uses your currently signed-in role and not the service-linked role. This prevents the escalation of privileges. @@ -300 +300 @@ IAM Identity Center does not allow you to edit the AWSServiceRoleForSSO service- -You don't need to manually delete the AWSServiceRoleForSSO role. When an AWS account is removed from an AWS organization, IAM Identity Center automatically cleans up the resources and deletes the service-linked role from that AWS account. +You do not need to manually delete the AWSServiceRoleForSSO role. When an AWS account is removed from an AWS organization, IAM Identity Center automatically cleans up the resources and deletes the service-linked role from that AWS account.