AWS managedservices documentation change
Summary
Improved IAM role documentation clarity, added warning about modifying AMS access roles, and updated AWS CDK references
Security assessment
While the change adds a security-conscious note about not altering AMS access roles without consultation, there's no evidence of addressing a specific vulnerability. The updates primarily improve documentation clarity rather than resolve security issues.
Diff
diff --git a/managedservices/latest/accelerate-guide/acc-sec-iam.md b/managedservices/latest/accelerate-guide/acc-sec-iam.md index c40a02b22..9ae06767e 100644 --- a//managedservices/latest/accelerate-guide/acc-sec-iam.md +++ b//managedservices/latest/accelerate-guide/acc-sec-iam.md @@ -11 +11 @@ AWS Identity and Access Management is a web service that helps you securely cont -With AMS Accelerate, you're responsible for managing access to your AWS accounts and their underlying resources, such as access management solutions, access policies, and related processes. This means that you manage your user lifecycle, permissions in directory services, and federated authentication system, to access the AWS console or AWS APIs. In order to help you manage your access solution, AMS Accelerate deploys AWS Config rules that detect common IAM misconfigurations, and then deliver remediation notifications. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html). +In AMS Accelerate, you're responsible for managing access to your AWS accounts and their underlying resources, such as access management solutions, access policies, and related processes. This means that you manage your user lifecycle, permissions in directory services, and federated authentication system, to access the AWS console or AWS APIs. To help you manage your access solution, AMS Accelerate deploys AWS Config rules that detect common IAM misconfigurations, and delivers remediation notifications. For more information, see [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html). @@ -15 +15 @@ With AMS Accelerate, you're responsible for managing access to your AWS accounts -AMS uses IAM roles, which is a type of IAM identity. An IAM role is very similar to a user, in that it is an identity with permissions policies that determine what the identity can and cannot do in AWS. However, a role doesn't have credentials associated with it and, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task. +AMS uses IAM roles, which are a type of IAM identity. An IAM role is similar to a user, in that it is an identity with permissions policies that determine what the identity can and can't do in AWS. However, a role doesn't have credentials associated with it and, instead of being uniquely associated with one person, is assumable by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task. @@ -17 +17,5 @@ AMS uses IAM roles, which is a type of IAM identity. An IAM role is very similar -Access roles are controlled by internal group membership, which is administered and periodically reviewed by Operations Management. AMS uses the following IAM roles: +Access roles are controlled by internal group membership, which is administered and periodically reviewed by Operations Management. AMS uses the following IAM roles. + +###### Note + +AMS access roles allow AMS operators to access your resources to provide AMS capabilities (see [Service description](./acc-sd.html)). Altering these roles can inhibit our ability to provide these capabilities. If you need to alter AMS access roles, consult your Cloud Architect. @@ -65 +69 @@ mc-patch-reporting-service | Assumed by AMS patch data aggregator and report gen -This is the template for the ams-access-management role. It is the stack that cloud architects (CAs) manually deploy in your account at onboarding time: [management-role.yaml](https://ams-account-access-templates.s3.amazonaws.com/management-role.yaml). +This is the template for the ams-access-management role. It's the stack that cloud architects (CAs) manually deploy in your account at onboarding: [management-role.yaml](https://ams-account-access-templates.s3.amazonaws.com/management-role.yaml). @@ -67 +71 @@ This is the template for the ams-access-management role. It is the stack that cl -This is the template for the different access roles for the different access levels: ams-access-read-only, ams-access-operations, ams-access-admin-operations, ams-access-admin: [accelerate-roles.yaml](https://ams-account-access-templates.s3.amazonaws.com/accelerate-roles.yaml). +This is the template for the different access roles and access levels: ams-access-read-only, ams-access-operations, ams-access-admin-operations, ams-access-admin: [accelerate-roles.yaml](https://ams-account-access-templates.s3.amazonaws.com/accelerate-roles.yaml). @@ -69 +73 @@ This is the template for the different access roles for the different access lev -To learn more about AWS Cloud Development Kit (CDK) identifiers, including hashes, see [UniqueIDs](https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_unique_ids). +To learn more about AWS Cloud Development Kit (AWS CDK) (AWS CDK) identifiers, including hashes, see [UniqueIDs](https://docs.aws.amazon.com/cdk/latest/guide/identifiers.html#identifiers_unique_ids).