AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-10-16 · Documentation low

File: solutions/latest/clickstream-analytics-on-aws/identity-management.md

Summary

Updated terminology from 'solution' to 'guidance' in user role management documentation

Security assessment

Changes are purely terminological (e.g., 'solution' to 'guidance') in the context of user roles and management workflows. The actual security controls (Cognito integration, role mappings, permissions) remain unchanged. No evidence of security vulnerability fixes or new security features.

Diff

diff --git a/solutions/latest/clickstream-analytics-on-aws/identity-management.md b/solutions/latest/clickstream-analytics-on-aws/identity-management.md
index b69d11329..8e0afeb3c 100644
--- a//solutions/latest/clickstream-analytics-on-aws/identity-management.md
+++ b//solutions/latest/clickstream-analytics-on-aws/identity-management.md
@@ -3 +3 @@
-[Documentation](/index.html)[Clickstream Analytics on AWS](https://aws.amazon.com/solutions/implementations/clickstream-analytics-on-aws)[Implementation Guide](solution-overview.html)
+[Documentation](/index.html)[Guidance for Clickstream Analytics on AWS](https://aws.amazon.com/solutions/guidance/clickstream-analytics-on-aws/)[Implementation Guide](solution-overview.html)
@@ -13 +13 @@ Clickstream Analytics on AWS supports a built-in Cognito user pool or third-part
-If you use built-in Cognito for user management, you can find the [Cognito user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) starting with `userPoolDC9497E0` in your deployment Region. When you deploy the web console of the solution, a user with the required email address will be created as the first user with administrator permission. For more information about user management, refer to [Managing users in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users.html). You can also follow [Adding user pool sign-in through a third party](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html) to add federated third-party providers, such as SAML and OIDC. 
+If you use built-in Cognito for user management, you can find the [Cognito user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) starting with `userPoolDC9497E0` in your deployment Region. When you deploy the web console of the guidance, a user with the required email address will be created as the first user with administrator permission. For more information about user management, refer to [Managing users in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users.html). You can also follow [Adding user pool sign-in through a third party](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html) to add federated third-party providers, such as SAML and OIDC. 
@@ -23 +23 @@ There are four different types of roles that you can assign to users:
-Administrator  |  Have full access to the solution, including identity management   
+Administrator  |  Have full access to the guidance, including identity management   
@@ -45 +45 @@ Analytics Studio - Data Management  |  Read/Write  |  None  |  Read/Write  |  Re
-By default, the authenticated users do not have a role in the solution. You have two options to manage the user roles in the solution: 
+By default, the authenticated users do not have a role in the guidance. You have two options to manage the user roles in the guidance: 
@@ -49 +49 @@ By default, the authenticated users do not have a role in the solution. You have
-Choose **System** \- **Users** in the web console of the solution as Administrator user. Then, add, update, or remove the user roles. This setting has precedence over other settings. 
+Choose **System** \- **Users** in the web console of the guidance as Administrator user. Then, add, update, or remove the user roles. This setting has precedence over other settings. 
@@ -53 +53 @@ Choose **System** \- **Users** in the web console of the solution as Administrat
-Choose **Setting** in **System** \- **Users** in the web console of the solution as Administrator user. Configure the roles of the solution mapping to the groups or roles in your OIDC provider. 
+Choose **Setting** in **System** \- **Users** in the web console of the guidance as Administrator user. Configure the roles of the guidance mapping to the groups or roles in your OIDC provider. 
@@ -55 +55 @@ Choose **Setting** in **System** \- **Users** in the web console of the solution
-By default, the solution supports mapping [ _group information from the Cognito user pool_](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) to multiple roles in the solution with the following rules: 
+By default, the guidance supports mapping [ _group information from the Cognito user pool_](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) to multiple roles in the guidance with the following rules: 
@@ -64 +64 @@ ClickstreamAnalystReader  |  Analyst Reader
-For example, you create a group named ClickstreamAnalyst, then add users in the user pool to that group. After those users log in to the solution, the user has an analyst role to access Analyst Studio. 
+For example, you create a group named ClickstreamAnalyst, then add users in the user pool to that group. After those users log in to the guidance, the user has an analyst role to access Analyst Studio. 
@@ -66 +66 @@ For example, you create a group named ClickstreamAnalyst, then add users in the
-The solution supports mapping multiple groups to a single system role, with various group names separated by commas. For example, by modifying the **Operator Role Name** : Group1,Group2, both user groups can be mapped to the **Operator** role of the system. 
+The guidance supports mapping multiple groups to a single system role, with various group names separated by commas. For example, by modifying the **Operator Role Name** : Group1,Group2, both user groups can be mapped to the **Operator** role of the system. 
@@ -70 +70 @@ If you need to support other OIDC providers, modify **User Role Json Path**.
-**Example** : Modify **User Role Json Path** to $.payload.realm_access.roles. It can support the mapping of [Keycloak](./launch-with-openid-connect-oidc.html#step-1.-create-oidc-client) roles to solution roles, where the token format of Keycloak is as follows: 
+**Example** : Modify **User Role Json Path** to $.payload.realm_access.roles. It can support the mapping of Keycloak roles to solution roles, where the token format of Keycloak is as follows: 
@@ -107 +107 @@ Data management
-Upgrade the solution
+Upgrade the guidance