AWS amazon-mq documentation change
Summary
Added section on IAM authentication using JWT tokens via STS
Security assessment
Documents a new authentication/authorization method using IAM credentials and OAuth 2.0 tokens, which is a security feature enhancement but not a response to a specific vulnerability.
Diff
diff --git a/amazon-mq/latest/developer-guide/amazon-mq-access.md b/amazon-mq/latest/developer-guide/amazon-mq-access.md index e3866cc8e..83528c1e7 100644 --- a//amazon-mq/latest/developer-guide/amazon-mq-access.md +++ b//amazon-mq/latest/developer-guide/amazon-mq-access.md @@ -22,0 +23,4 @@ In this method, broker users and their permissions are managed by an external OA +### IAM authentication and authorization + +In this method, broker users authenticate using AWS IAM credentials through [IAM outbound federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html). IAM credentials are used to obtain JWT tokens from AWS Security Token Service (STS), and these JWT tokens serve as OAuth 2.0 tokens for authentication. This method leverages the existing OAuth 2.0 support in Amazon MQ for RabbitMQ, where AWS acts as the OAuth 2.0 identity provider. User authentication is handled by AWS IAM, while resource permissions for vhosts, exchanges, queues, and topics are managed through IAM policies and scope aliases configured in RabbitMQ. For more information, see [IAM authentication and authorization](./iam-for-amq-for-rabbitmq.html). +