AWS singlesignon documentation change
Summary
Rewrote content to focus on Service Control Policies (SCPs) for access denial, including example policy and implementation guidance.
Security assessment
Enhances documentation about using SCPs as a security control mechanism but does not address a specific vulnerability. Provides security best practice guidance for access revocation.
Diff
diff --git a/singlesignon/latest/userguide/authconcept-revoke-access.md b/singlesignon/latest/userguide/authconcept-revoke-access.md index 784b350e2..0cba7cfbb 100644 --- a//singlesignon/latest/userguide/authconcept-revoke-access.md +++ b//singlesignon/latest/userguide/authconcept-revoke-access.md @@ -5 +5 @@ -# Revoke access for deleted users +# Deny user access with Service Control Policies @@ -7 +7 @@ -To immediately revoke access to make authorized API calls when an IAM Identity Center user is either disabled or deleted, you can: +To immediately deny access to make authorized API calls when an IAM Identity Center user's access is disabled or the user is deleted, you can: @@ -9 +9 @@ To immediately revoke access to make authorized API calls when an IAM Identity C - 1. Add or update the inline policy of the permission set(s) assigned to the user by adding an explicit `Deny` effect for all actions on all resources. + 1. [Add or update](./howtoviewandchangepermissionset.html) the [inline policy](./permissionsetcustom.html#permissionsetsinlineconcept) of the permission set(s) assigned to the user by adding an explicit `Deny` effect for all actions on all resources. @@ -16 +16 @@ To immediately revoke access to make authorized API calls when an IAM Identity C -Alternatively, you can use a [Service Control Policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to revoke the user's access across all member accounts in your organization. +Alternatively, you can use a [Service Control Policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to deny the user's access across all member accounts in your organization. @@ -18 +18,3 @@ Alternatively, you can use a [Service Control Policy](https://docs.aws.amazon.co -###### Example SCPs to revoke access +###### Example SCP to deny access + +This denial policy blocks all AWS actions for a specific user, regardless of other permissions they might have been granted elsewhere. This policy overrides any `Allow` policies. @@ -74 +76 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Authentication in IAM Identity Center +Disable user access @@ -76 +78 @@ Authentication in IAM Identity Center -Connect workforce users +Managing access for users in the Identity Center directory