AWS govcloud-us documentation change
Summary
Added documentation for dual-stack (IPv4/IPv6) endpoint support in IAM Identity Center and expanded allowlist domain requirements for web-content filtering solutions.
Security assessment
The change adds configuration guidance for allowlisting security-related domains (e.g., threat-mitigation, CAPTCHA) to ensure proper service functionality. While this improves security posture, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/govcloud-us/latest/UserGuide/govcloud-sso.md b/govcloud-us/latest/UserGuide/govcloud-sso.md index eeeab89d0..92608349d 100644 --- a//govcloud-us/latest/UserGuide/govcloud-sso.md +++ b//govcloud-us/latest/UserGuide/govcloud-sso.md @@ -16,0 +17,2 @@ The following list details the differences for using this service in the AWS Gov + * IAM Identity Center supports dual-stack endpoints in AWS GovCloud (US) Regions. You can use either IPv4, IPv6, or dual-stack to access IAM Identity Center services and the AWS access portal. + @@ -22,0 +25,4 @@ You can find this URL on the **Settings** page in the IAM Identity Center consol + * The new AWS access portal URL format for AWS GovCloud (US) follows the pattern `https://{idcInstanceId}.portal.{region}.app.aws`, similar to the commercial region format. + +This new URL format provides a consistent experience across all AWS regions. + @@ -66,0 +73,32 @@ The email address `no-reply@<identitystore_id>.us-gov-home.awsapps.com` is used + * For dual-stack (IPv4 and IPv6) endpoint access, you must also add the following domains to your web-content filtering solution allowlists: + + * `[idcInstanceId].portal.[Region].app.aws` + + * `portal.sso.[Region].api.aws` + + * `oidc.[Region].api.aws` + + * `oidc-fips.[Region].api.aws` + + * `sso.[Region].api.aws` + + * `scim.[Region].api.aws` + + * `identitystore.[Region].api.aws` + + * `identity-sync.[Region].api.aws` + + * `dual-stack.auth-control.[Region].prod.apps-auth.aws.a2z.com` + + * `pvs-controlplane.[Region].api.aws` + + * `[Region].sso.signin.amazonaws-us-gov.com` + + * `[Region].sso.signin-fips.amazonaws-us-gov.com` + + * `cdn.us-east-1.threat-mitigation.aws.amazon.com` + + * `us-east-1.threat-mitigation.aws.amazon.com` + + * `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com` +