AWS iot documentation change
Summary
Updated IAM policy documentation links and added temporary credential recommendations
Security assessment
Added explicit recommendations to use temporary credentials instead of long-term credentials, which improves security posture but does not address a specific vulnerability. The URL changes (adding slashes) are non-security related formatting fixes. The security documentation addition promotes best practices without referencing a specific incident.
Diff
diff --git a/iot/latest/developerguide/device-advisor-setting-up.md b/iot/latest/developerguide/device-advisor-setting-up.md index 834b7ca45..3423ee756 100644 --- a//iot/latest/developerguide/device-advisor-setting-up.md +++ b//iot/latest/developerguide/device-advisor-setting-up.md @@ -105 +105 @@ The _topic name_ is the MQTT topic that your device subscribes to. - 12. Enter the following trust policy into the **Custom trust policy** box. To protect against the confused deputy problem, add the global condition context keys `[aws:SourceArn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)` and `[aws:SourceAccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount)` to the policy. + 12. Enter the following trust policy into the **Custom trust policy** box. To protect against the confused deputy problem, add the global condition context keys `[aws:SourceArn](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn)` and `[aws:SourceAccount](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount)` to the policy. @@ -190,0 +191,3 @@ Which user needs programmatic access? | To | By +IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. + * For the AWS CLI, see [Login for AWS local development](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-sign-in.html) in the _AWS Command Line Interface User Guide_. + * For AWS SDKs, see [Login for AWS local development](https://docs.aws.amazon.com//sdkref/latest/guide/access-login.html) in the _AWS SDKs and Tools Reference Guide_. @@ -192,2 +195,2 @@ Workforce identity (Users managed in IAM Identity Center) | Use temporary creden - * For the AWS CLI, see [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) in the _AWS Command Line Interface User Guide_. - * For AWS SDKs, tools, and AWS APIs, see [IAM Identity Center authentication](https://docs.aws.amazon.com/sdkref/latest/guide/access-sso.html) in the _AWS SDKs and Tools Reference Guide_. + * For the AWS CLI, see [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-sso.html) in the _AWS Command Line Interface User Guide_. + * For AWS SDKs, tools, and AWS APIs, see [IAM Identity Center authentication](https://docs.aws.amazon.com//sdkref/latest/guide/access-sso.html) in the _AWS SDKs and Tools Reference Guide_. @@ -196,3 +199,3 @@ IAM | (Not recommended)Use long-term credentials to sign programmatic requests t - * For the AWS CLI, see [Authenticating using IAM user credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html) in the _AWS Command Line Interface User Guide_. - * For AWS SDKs and tools, see [Authenticate using long-term credentials](https://docs.aws.amazon.com/sdkref/latest/guide/access-iam-users.html) in the _AWS SDKs and Tools Reference Guide_. - * For AWS APIs, see [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the _IAM User Guide_. + * For the AWS CLI, see [Authenticating using IAM user credentials](https://docs.aws.amazon.com//cli/latest/userguide/cli-authentication-user.html) in the _AWS Command Line Interface User Guide_. + * For AWS SDKs and tools, see [Authenticate using long-term credentials](https://docs.aws.amazon.com//sdkref/latest/guide/access-iam-users.html) in the _AWS SDKs and Tools Reference Guide_. + * For AWS APIs, see [Managing access keys for IAM users](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_credentials_access-keys.html) in the _IAM User Guide_. @@ -206 +209 @@ IAM | (Not recommended)Use long-term credentials to sign programmatic requests t -Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html) in the _AWS IAM Identity Center User Guide_. +Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the _AWS IAM Identity Center User Guide_. @@ -210 +213 @@ Create a permission set. Follow the instructions in [Create a permission set](ht -Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the _IAM User Guide_. +Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the _IAM User Guide_. @@ -214 +217 @@ Create a role for identity federation. Follow the instructions in [Create a role - * Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the _IAM User Guide_. + * Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the _IAM User Guide_. @@ -216 +219 @@ Create a role for identity federation. Follow the instructions in [Create a role - * (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the _IAM User Guide_. + * (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the _IAM User Guide_.