AWS prescriptive-guidance documentation change
Summary
Updated documentation for Shared Services account including grammatical fixes, link corrections, formatting improvements, and clarification of IAM Identity Center delegation. Removed redundant content and updated terminology.
Security assessment
Changes are editorial improvements without evidence of addressing specific vulnerabilities. Security-related content (IAM Identity Center delegation, directory services) was refined but not fundamentally changed or expanded. No CVE, vulnerability disclosure, or security incident response is referenced.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture/shared-services.md b/prescriptive-guidance/latest/security-reference-architecture/shared-services.md index 1625d6728..f599a3ecd 100644 --- a//prescriptive-guidance/latest/security-reference-architecture/shared-services.md +++ b//prescriptive-guidance/latest/security-reference-architecture/shared-services.md @@ -3 +3 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – core architecture](introduction.html) @@ -7 +7 @@ AWS Systems ManagerAWS Managed Microsoft ADIAM Identity Center -# Infrastructure OU - Shared Services account +# Infrastructure OU – Shared Services account @@ -14 +14 @@ The following diagram illustrates the AWS security services that are configured - + @@ -22 +22 @@ The Shared Services account is part of the Infrastructure OU, and its purpose is -Systems Manager helps you work to maintain security and compliance by scanning your managed instances and reporting (or taking corrective action) on any policy violations it detects. By pairing Systems Manager with appropriate deployment in individual member AWS accounts (for example, the Application account), you can coordinate instance inventory data collection and centralize automation such as patching and security updates. +Systems Manager helps you work to maintain security and compliance by scanning your managed instances and reporting (or taking corrective action) on any policy violations it detects. By pairing Systems Manager with appropriate deployments in individual member AWS accounts (for example, the Application account), you can coordinate instance inventory data collection and centralize automation such as patching and security updates. @@ -26 +26 @@ Systems Manager helps you work to maintain security and compliance by scanning y -[AWS Directory Service](https://aws.amazon.com/directoryservice/) for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory on AWS. You can use AWS Managed Microsoft AD to join [Amazon EC2 for Windows Server](https://aws.amazon.com/windows/), [Amazon EC2 for Linux](https://aws.amazon.com/mp/linux/), and [Amazon RDS for SQL Server](https://aws.amazon.com/rds/sqlserver/) instances to your domain, and use [AWS end user computing](https://aws.amazon.com/products/end-user-computing/) (EUC) services, such as [Amazon WorkSpaces](https://aws.amazon.com/workspaces-family/workspaces/), with Active Directory users and groups. +[AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html), also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory on AWS. You can use AWS Managed Microsoft AD to join [Amazon EC2 for Windows Server](https://aws.amazon.com/windows/), [Amazon EC2 for Linux](https://aws.amazon.com/mp/linux/), and [Amazon RDS for SQL Server](https://aws.amazon.com/rds/sqlserver/) instances to your domain, and use [AWS end user computing (EUC)](https://aws.amazon.com/products/end-user-computing/) services, such as [Amazon WorkSpaces](https://aws.amazon.com/workspaces/), with Active Directory users and groups. @@ -36 +36 @@ AWS Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) o -In the AWS SRA, AWS Directory Service is used within the Shared Services account to provide domain services for Microsoft-aware workloads across multiple AWS member accounts. +In the AWS SRA, Directory Service is used within the Shared Services account to provide domain services for Microsoft-aware workloads across multiple AWS member accounts. @@ -40,4 +40 @@ In the AWS SRA, AWS Directory Service is used within the Shared Services account - * You can grant your on-premises Active Directory users access to sign in to the AWS Management Console and AWS Command Line Interface (AWS CLI) with their existing Active Directory credentials by using IAM Identity Center and selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is to use AWS Managed Microsoft AD to enable your users to assume an [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) role. - - - +You can grant your on-premises Active Directory users access to sign in to the AWS Management Console and AWS Command Line Interface (AWS CLI) with their existing Active Directory credentials by using IAM Identity Center and selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is to use AWS Managed Microsoft AD to enable your users to assume an IAM role. @@ -47 +44 @@ In the AWS SRA, AWS Directory Service is used within the Shared Services account -The AWS SRA uses the delegated administrator feature supported by IAM Identity Center to delegate most of the administration of IAM Identity Center to the Shared Services account. This helps restrict the number of users who require access to the Org Management account. IAM Identity Center still needs to be enabled in the Org Management account to perform certain tasks, including the management of permission sets that are provisioned within the Org Management account. +The AWS SRA uses the delegated administrator feature supported by AWS IAM Identity Center to delegate most of the administration of IAM Identity Center to the Shared Services account. This helps restrict the number of users who require access to the Org Management account. IAM Identity Center still needs to be enabled in the Org Management account to perform certain tasks, including the management of permission sets that are provisioned within the Org Management account. @@ -51 +48 @@ The primary reason for using the Shared Services account as the delegated admini -IAM Identity Center supports the registration of a single member account as a delegated administrator at one time. You can register a member account only when you sign in with credentials from the management account. To enable delegation, you have to consider the prerequisites listed in the [IAM Identity Center documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-prereqs). The delegated administrator account can perform most IAM Identity Center management tasks, but with some restrictions, which are listed in the [IAM Identity Center documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-tasks-member-account). Access to the IAM Identity Center delegated administrator account should be tightly controlled. +IAM Identity Center supports the registration of a single member account as a delegated administrator at one time. You can register a member account only when you sign in with credentials from the management account. To enable delegation, you have to consider the prerequisites listed in the [IAM Identity Center documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-prereqs). The delegated administrator account can perform most IAM Identity Center management tasks, but with some restrictions, which are listed in the [IAM Identity Center documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-tasks-member-account). Access to the delegated administrator account for IAM Identity Center should be tightly controlled. @@ -61 +58 @@ IAM Identity Center supports the registration of a single member account as a de - * IAM Identity Center currently doesn't provide [multi-Region support](https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html#region-data). (To enable IAM Identity Center in a different Region, you must first delete your current IAM Identity Center configuration.) Furthermore, it doesn’t support the use of different identity sources for different set of accounts or let you delegate permissions management to different parts of your organization (that is, multiple delegated administrators) or to different groups of administrators. If you require any of these features, you can use [IAM federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) to manage your user identities within an identity provider (IdP) outside of AWS and give these external user identities permission to use AWS resources in your account. IAM supports IdPs that are compatible with [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) or SAML 2.0. As a best practice, use SAML 2.0 federation with third-party identity providers such as Active Directory Federation Service (AD FS), Okta, Azure Active Directory (Azure AD), or Ping Identity to provide single sign-on capability for users to log into the AWS Management Console or to call AWS API operations. For more information about IAM federation and identity providers, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the IAM documentation and the [AWS Identity Federation workshops](https://identity-federation.awssecworkshops.com/). + * IAM Identity Center currently doesn't provide [multi-Region support](https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html#region-data). (To enable IAM Identity Center in a different Region, you must first delete your current IAM Identity Center configuration.) Furthermore, it doesn't support the use of different identity sources for different set of accounts or let you delegate permissions management to different parts of your organization (that is, multiple delegated administrators) or to different groups of administrators. If you require any of these features, you can use [IAM federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) to manage your user identities within an identity provider (IdP) outside of AWS and give these external user identities permission to use AWS resources in your account. IAM supports IdPs that are compatible with [OpenID Connect (OIDC)](https://openid.net/connect/) or SAML 2.0. As a best practice, use SAML 2.0 federation with third-party identity providers such as Active Directory Federation Service (AD FS), Okta, Azure Active Directory (Azure AD), or Ping Identity to provide single sign-on capability for users to log into the AWS Management Console or to call AWS API operations. For more information about IAM federation and identity providers, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the IAM documentation. @@ -72 +69 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Infrastructure OU - Network account +Infrastructure OU – Network account @@ -74 +71 @@ Infrastructure OU - Network account -Workloads OU - Application account +Workloads OU – Application account