AWS singlesignon documentation change
Summary
Expanded allow list documentation with dual-stack endpoints and combined IPv4/dual-stack entries for web content filtering.
Security assessment
Adds documentation for network security controls (allow lists) but doesn't address a specific vulnerability. Enhances security posture by clarifying endpoint requirements.
Diff
diff --git a/singlesignon/latest/userguide/enable-identity-center-portal-access.md b/singlesignon/latest/userguide/enable-identity-center-portal-access.md index da1096a15..f30e51877 100644 --- a//singlesignon/latest/userguide/enable-identity-center-portal-access.md +++ b//singlesignon/latest/userguide/enable-identity-center-portal-access.md @@ -17 +17,3 @@ If you filter access to specific AWS domains or URL endpoints by using a web con -The following list provides the domains and URL endpoints to add to your web-content filtering solution allowlists. +The following list provides the IPv4 and dual-stack domains and URL endpoints to add to your web-content filtering solution allowlists. + +###### IPv4 allow list @@ -49,0 +52,82 @@ The following list provides the domains and URL endpoints to add to your web-con +###### Dual-stack allow list + + * `ssoins-`[IdC Instance ID]`.portal.`[Region]`.app.aws` + + * `*.aws.dev` + + * `*.awsstatic.com` + + * `*.console.aws.a2z.com` + + * `oidc.`[Region]`.api.aws` + + * `sso.`[Region]`.api.aws` + + * `portal.sso.`[Region]`.api.aws` + + * ``[Region]`.sso.signin.aws` + + * ``[Region]`.signin.aws.amazon.com` + + * `signin.aws.amazon.com` + + * `*.cloudfront.net` + + * `cdn.us-east-1.threat-mitigation.aws.amazon.com` + + * `us-east-1.threat-mitigation.aws.amazon.com` + + * `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com` + + + + +###### Combined allow list (IPv4 + Dual-stack with backward compatibility) + + * ``[Directory ID or alias]`.awsapps.com` + + * `ssoins-`[IdC Instance ID]`.portal.`[Region]`.app.aws` + + * `*.aws.dev` + + * `*.awsstatic.com` + + * `*.console.aws.a2z.com` + + * `oidc.`[Region]`.amazonaws.com` + + * `oidc.`[Region]`.api.aws` + + * `*.sso.amazonaws.com` + + * `*.sso.`[Region]`.amazonaws.com` + + * `sso.`[Region]`.api.aws` + + * `*.sso-portal.`[Region]`.amazonaws.com` + + * `portal.sso.`[Region]`.api.aws` + + * ``[Region]`.prod.pr.panorama.console.api.aws/panoramaroute` + + * ``[Region]`.signin.aws` + + * ``[Region]`.sso.signin.aws` + + * ``[Region]`.signin.aws.amazon.com` + + * `signin.aws.amazon.com` + + * `*.cloudfront.net` + + * `opfcaptcha-prod.s3.amazonaws.com` + + * `cdn.us-east-1.threat-mitigation.aws.amazon.com` + + * `us-east-1.threat-mitigation.aws.amazon.com` + + * `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com` + + + +