AWS quick documentation change
Summary
Clarified namespace isolation mechanics and added details about administrative console's IAM-based permission model
Security assessment
The change documents how administrative console access relies solely on IAM permissions rather than namespace isolation, clarifying security boundaries. However, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/quick/latest/userguide/namespaces.md b/quick/latest/userguide/namespaces.md index 5c52ec640..e8fcb2d32 100644 --- a//quick/latest/userguide/namespaces.md +++ b//quick/latest/userguide/namespaces.md @@ -11 +11 @@ Amazon Quick Enterprise edition supports multitenancy through namespaces. An Ama - * You can allow the users of your Amazon Quick subscription to discover shared content and share with other users. At the same time, you can be sure that users in one namespace can't see or interact with users in another namespace. + * Your Amazon Quick subscription allows users to discover shared content and share with other users. At the same time, in the Amazon Quick end-user console experience, users in one namespace can't see or interact with users in another namespace. The Amazon Quick administrative console uses a different permission model. For more information, see the following important note. @@ -23,0 +24,8 @@ Amazon Quick Enterprise edition supports multitenancy through namespaces. An Ama +###### Namespace isolation and the administrative console + +Amazon Quick uses two different permission models depending on the console experience. In the Amazon Quick end-user console, namespace-level isolation is enforced. Each user's Amazon Quick role determines the actions that they can perform, and their namespace determines which users and groups they can interact with. + +In the Amazon Quick administrative console, only AWS Identity and Access Management (IAM) permissions are enforced. Users operate outside of the namespace context, and the user's IAM policies determine access, not their namespace membership. + +Users can operate under both permission models. When they use the end-user console, their Amazon Quick role and namespace determine their access. When they use the administrative console, their IAM permissions determine their access. For example, an IAM administrator with the appropriate permissions can view and manage users and groups across namespaces from the administrative console. +