AWS quicksuite medium security documentation change
Summary
Modified service control policy example to restrict IAM Identity Center authentication instead of Active Directory credentials
Security assessment
The change updates security controls by explicitly preventing IAM Identity Center authentication in sign-up processes through SCPs. This modifies authentication requirements and could indicate a security hardening measure against unauthorized access vectors. The policy now enforces alternative authentication methods, directly impacting access control security configurations.
Diff
diff --git a/quicksuite/latest/userguide/security-scp-admin.md b/quicksuite/latest/userguide/security-scp-admin.md index c8f1552a4..fa59ddb67 100644 --- a//quicksuite/latest/userguide/security-scp-admin.md +++ b//quicksuite/latest/userguide/security-scp-admin.md @@ -58 +58 @@ Key Name | Key Value | Description -The following example for Quick Suite shows a service control policy that denies signing up for a Amazon Quick Suite Standard Edition and turns off the ability to sign up using Amazon Quick Suite or Active Directory credentials. This policy uses the `quicksight:subscribe` action, in addition to the condition keys previously described. For a list of Amazon Quick Suite-specific keys for use in IAM permission policies, see [Actions, resources, and condition keys for Quick Suite](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html) in the _Service Authorization Reference_. +The following example for Quick Suite shows a service control policy that denies signing up for a Amazon Quick Suite Standard Edition and prevents the ability to sign up using IAM Identity Center authentication. This policy uses the `quicksight:Subscribe` action, in addition to the condition keys previously described. For a list of Amazon Quick Suite-specific keys for use in IAM permission policies, see [Actions, resources, and condition keys for Quick Suite](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html) in the _Service Authorization Reference_. @@ -99 +99 @@ The following example for Quick Suite shows a service control policy that denies -With this policy in effect, individuals in an organization can sign up only for Amazon Quick Suite Enterprise Edition. Additionally, they can sign up only by using the **IAM Identity Center enabled application** option. If they try to sign up for Amazon Quick Suite Standard Edition or use another form of authentication, they are restricted from signing up. They receive a message explaining that they don't have the right permissions to sign up for Amazon Quick Suite. +With this policy in effect, individuals in an organization can sign up only for Amazon Quick Suite Enterprise Edition, and they must use authentication methods other than IAM Identity Center. If they try to sign up for Amazon Quick Suite Standard Edition or attempt to use IAM Identity Center authentication, they will be restricted from signing up and receive a message explaining that they don't have the right permissions.