AWS singlesignon documentation change
Summary
Added 'customer managed applications' to use cases requiring KMS key permissions and expanded permissions guidance to explicitly include customer managed applications
Security assessment
The changes emphasize proper KMS key permission configuration for customer-managed applications interacting with IAM Identity Center APIs. While this improves security documentation by clarifying requirements for encryption key management, there's no indication of addressing a specific vulnerability or incident.
Diff
diff --git a/singlesignon/latest/userguide/identity-center-customer-managed-keys.md b/singlesignon/latest/userguide/identity-center-customer-managed-keys.md index aa48474d9..da8fa2304 100644 --- a//singlesignon/latest/userguide/identity-center-customer-managed-keys.md +++ b//singlesignon/latest/userguide/identity-center-customer-managed-keys.md @@ -70 +70 @@ SSO to Amazon EC2 Windows instances with AWS IAM Identity Center | -Any other use case that makes calls to IAM Identity Center API or Identity Store API, such as permission set provisioning workflows, or AWS Lambda functions | +Any other use case that makes calls to IAM Identity Center API or Identity Store API, such as customer managed applications, permission set provisioning workflows, or AWS Lambda functions | @@ -179 +179 @@ Before proceeding with this step: - * Configure the necessary permissions for use of the KMS key. Without proper permissions, this step may fail or disrupt IAM Identity Center administration and AWS managed applications. For more information, see Step 1: Identify use cases for your organization. + * Configure the necessary permissions for use of the KMS key. Without proper permissions, this step may fail or disrupt IAM Identity Center administration, the use of AWS managed applications, and other use cases that require KMS key permissions. For more information, see Step 1: Identify use cases for your organization. @@ -181 +181 @@ Before proceeding with this step: - * Ensure that permissions for AWS managed applications also allow the use of the KMS key via IAM Identity Center and Identity Store APIs. Some AWS managed applications require you to configure permissions, such as a service role, for the use of these APIs. Refer to the User Guide of each deployed AWS managed application to confirm if you need to add specific KMS key permissions. + * Ensure that permissions for AWS managed applications and customer managed applications that call IAM Identity Center's APIs with IAM roles also allow the use of the KMS key via IAM Identity Center's APIs. Some AWS managed applications require you to configure permissions, such as a service role, for the use of these APIs. Refer to the User Guide of each deployed AWS managed application to confirm whether you need to add specific KMS key permissions.