AWS athena documentation change
Summary
Updated terminology from 'customer application' to 'customer managed application' and clarified required access scopes for IAM/Identity Center-enabled workgroups.
Security assessment
The change improves documentation for configuring least-privilege access scopes in a security feature (trusted identity propagation), but there is no evidence of addressing a specific security vulnerability. The scope clarification helps enforce proper permissions.
Diff
diff --git a/athena/latest/ug/using-trusted-identity-propagation-setup.md b/athena/latest/ug/using-trusted-identity-propagation-setup.md index 2e9d39d36..391c94946 100644 --- a//athena/latest/ug/using-trusted-identity-propagation-setup.md +++ b//athena/latest/ug/using-trusted-identity-propagation-setup.md @@ -5 +5 @@ -Setup trusted token issuerSetup IAM rolesConfigure AWS IAM Identity Center customer applicationConfigure workgroup associationRun queries using trusted identity propagation enabled Athena driversUse Athena drivers and trusted identity propagation with DBeaver +Setup trusted token issuerSetup IAM rolesConfigure AWS IAM Identity Center customer managed applicationConfigure workgroup associationRun queries using trusted identity propagation enabled Athena driversUse Athena drivers and trusted identity propagation with DBeaver @@ -154 +154 @@ JSON -## Configure AWS IAM Identity Center customer application +## Configure AWS IAM Identity Center customer managed application @@ -156 +156 @@ JSON -To configure customer application, follow the steps in [Set up customer managed OAuth 2.0 applications for trusted identity propagation](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-trusted-identity-propagation-set-up-your-own-app-OAuth2.html) with the following considerations for Athena. +To configure a customer managed application, follow the steps in [Set up customer managed OAuth 2.0 applications for trusted identity propagation](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-trusted-identity-propagation-set-up-your-own-app-OAuth2.html) with the following considerations for Athena. @@ -168 +168 @@ To configure customer application, follow the steps in [Set up customer managed - * For **Access scopes to apply** , choose __lakeformation:query__. + * For **Access scopes to apply** , select __lakeformation:query__ for IAM-enabled workgroups, or __lakeformation:query__ , __athena:workgroup:read_write__ , and __s3:access_grants:read_write__ for Identity Center-enabled workgroups.