AWS location high security documentation change
Summary
Removed mobile app restriction options for API keys and updated terminology from 'Client restrictions' to 'Referrers'. Removed section about restricting API keys by Android/Apple application identifiers.
Security assessment
The removal of mobile app restriction capabilities (Android/Apple app identifiers) reduces security controls for API keys, potentially allowing broader access than intended. This change eliminates documentation about validating application signatures and bundle IDs, which were security measures to prevent unauthorized API key usage.
Diff
diff --git a/location/latest/developerguide/using-apikeys.md b/location/latest/developerguide/using-apikeys.md index bf7d08c4c..80406f455 100644 --- a//location/latest/developerguide/using-apikeys.md +++ b//location/latest/developerguide/using-apikeys.md @@ -5 +5 @@ -Create an API keyCall an APIRestrict API key usageBest practices +Create an API keyCall an APIBest practices @@ -61 +61 @@ Amazon Location console - * **Client restrictions** – Optionally, add one or more web domains or one or more Android or Apple apps where you can use the API key. For example, if the API key is to allow an application running on the website `example.com`, then you could put `*.example.com/` as an allowed referrer. + * **Referrers** – Optionally, add one or more domains where you can use the API key. For example, if the API key is to allow an application running on the website `example.com`, then you could put `*.example.com/` as an allowed referrer. @@ -75 +75 @@ AWS CLI - 1. Use the [create-key](https://docs.aws.amazon.com/cli/latest/reference/location/create-key.html) command. The following example creates an API key called `ExampleKey` with no expiration date and access to a single map resource. + 1. Use the [create-key](https://docs.aws.amazon.com//cli/latest/reference/location/create-key.html) command. The following example creates an API key called `ExampleKey` with no expiration date and access to a single map resource. @@ -103 +103 @@ Amazon Location API -Use the [CreateKey](https://docs.aws.amazon.com/location/latest/APIReference/API_CreateKey.html) operation from the Amazon Location APIs. The following example is an API request to create an API key called `ExampleKey` with no expiration date and access to a single map resource. +Use the [CreateKey](https://docs.aws.amazon.com//location/latest/APIReference/API_CreateKey.html) operation from the Amazon Location APIs. The following example is an API request to create an API key called `ExampleKey` with no expiration date and access to a single map resource. @@ -123 +122,0 @@ Use the [CreateKey](https://docs.aws.amazon.com/location/latest/APIReference/API - } @@ -127 +126 @@ The response includes the API key value to use when accessing resources in your -You can also use the [DescribeKey](https://docs.aws.amazon.com/location/latest/APIReference/API_DescribeKey.html) API to find the key value for a key at a later time. +You can also use the [DescribeKey](https://docs.aws.amazon.com//location/latest/APIReference/API_DescribeKey.html) API to find the key value for a key at a later time. @@ -307,40 +305,0 @@ Use the following code: -## Restrict API key usage by request origin - -You can configure API keys with client restrictions that limit access to specific domains or mobile applications. When restricting by domain, requests will be authorized only if the HTTP Referer header matches the value that you provide. When restricting by Android or Apple application, requests will be authorized only if the application identifier HTTP header fields match the values that you provide. - -For more information, see [ApiKeyRestrictions](https://docs.aws.amazon.com/location/latest/APIReference/API_geotags_ApiKeyRestrictions.html) in the _Amazon Location Service API Reference_. - -**Android application identifiers:** - - * `X-Android-Package`: - -A unique identifier for Android applications, defined in the app's `build.gradle` file, typically following a reverse-domain format. - -Example: - -`com.mydomain.appname` - - * `X-Android-Cert`: - -The SHA-1 hash of the signing certificate used to sign the Android APK. - -Example: - -`BB:0D:AC:74:D3:21:E1:43:67:71:9B:62:91:AF:A1:66:6E:44:5D:75` - - - - -**Apple application identifiers:** - - * `X-Apple-Bundle-Id `: - -A unique identifier for Apple (iOS, macOS, etc.) applications, defined in the app's `Info.plist`, typically following a reverse-domain format. - -Example: - -`com.mydomain.appname` - - - - @@ -353 +312 @@ API keys include a plain text _value_ that gives access to one or more resources -To avoid the situation above, it is best to limit your API key. When you create the key, you can specify the domain, Android app or Apple app where the key can be used. +To avoid the situation above, it is best to limit your API key. When you create the key, you can specify the domain or referrer where the key can be used.