AWS wellarchitected documentation change
Summary
Replaced 'AppStream 2.0' with 'WorkSpaces Applications' in least privilege configuration guidance
Security assessment
The modifications update service names in existing security best practices documentation. While the context involves security (least privilege principles), the changes themselves are nomenclature updates rather than responses to security issues or additions of new security features.
Diff
diff --git a/wellarchitected/latest/end-user-computing-lens/eucsec03-bp01.md b/wellarchitected/latest/end-user-computing-lens/eucsec03-bp01.md index bf696f467..18ee8682a 100644 --- a//wellarchitected/latest/end-user-computing-lens/eucsec03-bp01.md +++ b//wellarchitected/latest/end-user-computing-lens/eucsec03-bp01.md @@ -15 +15 @@ To implement the principle of least privilege when configuring AWS EUC services, - * **Limit the use of administrator permissions:** Users should not be granted local administrator access to Amazon WorkSpaces or AppStream 2.0 instances unless it is required for them to undertake their role. Use tools and products that provide the ability to temporarily provide elevated rights in preference to granting users long term administrative access. + * **Limit the use of administrator permissions:** Users should not be granted local administrator access to Amazon WorkSpaces or WorkSpaces Applications instances unless it is required for them to undertake their role. Use tools and products that provide the ability to temporarily provide elevated rights in preference to granting users long term administrative access. @@ -19 +19 @@ To implement the principle of least privilege when configuring AWS EUC services, - * **Use administrative toolsets and automation to avoid the need to provide administrator permissions:** Administrators providing first-level support for the users consuming the AWS EUC service can use the enhanced administrative toolset that AWS offers in the form of the EUC toolkit. For more detail on the EUC Toolkit, see [Use EUC Toolkit to manage Amazon AppStream 2.0 and Amazon WorkSpaces](https://aws.amazon.com/blogs/desktop-and-application-streaming/euc-toolkit/). + * **Use administrative toolsets and automation to avoid the need to provide administrator permissions:** Administrators providing first-level support for the users consuming the AWS EUC service can use the enhanced administrative toolset that AWS offers in the form of the EUC toolkit. For more detail on the EUC Toolkit, see [Use EUC Toolkit to manage Amazon WorkSpaces Applications and Amazon WorkSpaces](https://aws.amazon.com/blogs/desktop-and-application-streaming/euc-toolkit/). @@ -27 +27 @@ To implement the principle of least privilege when configuring AWS EUC services, - * **Restrict the scope of access for service accounts:** Restrict permissions for service accounts for Amazon WorkSpaces (with Active Directory Connector) and Amazon AppStream 2.0 (with domain-joined fleets) to only allow them to create computer objects within their designated Organizational Unit (OU). For implementing service accounts, see [Amazon AppStream 2.0 Active Directory Administration](https://docs.aws.amazon.com/appstream2/latest/developerguide/active-directory-admin.html#active-directory-permissions) and [AD Connector prerequisites](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html#connect_delegate_privileges). + * **Restrict the scope of access for service accounts:** Restrict permissions for service accounts for Amazon WorkSpaces (with Active Directory Connector) and Amazon WorkSpaces Applications (with domain-joined fleets) to only allow them to create computer objects within their designated Organizational Unit (OU). For implementing service accounts, see [Amazon WorkSpaces Applications Active Directory Administration](https://docs.aws.amazon.com/appstream2/latest/developerguide/active-directory-admin.html#active-directory-permissions) and [AD Connector prerequisites](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html#connect_delegate_privileges).