AWS singlesignon documentation change
Summary
Added guidance for configuring regional endpoints to improve federation resiliency during regional failures, and clarified trust policy configuration requirements.
Security assessment
This change adds documentation about improving availability and resiliency of emergency access systems, which is a security feature. It provides recommendations for configuring multiple regional endpoints to handle regional failure scenarios, enhancing the reliability of emergency access mechanisms. While this improves security posture through better availability, there's no evidence it addresses a specific security vulnerability.
Diff
diff --git a/singlesignon/latest/userguide/emergency-access-one-time-setup-direct-IAM-federation-application-in-idp.md b/singlesignon/latest/userguide/emergency-access-one-time-setup-direct-IAM-federation-application-in-idp.md index e33113f3b..55d506de0 100644 --- a//singlesignon/latest/userguide/emergency-access-one-time-setup-direct-IAM-federation-application-in-idp.md +++ b//singlesignon/latest/userguide/emergency-access-one-time-setup-direct-IAM-federation-application-in-idp.md @@ -13 +13 @@ - 4. Set up direct IAM federation with AWS by following the steps in [ How to Configure SAML 2.0 for AWS Account Federation](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html). + 4. Set up direct IAM federation with AWS by following the steps in [ How to Configure SAML 2.0 for AWS Account Federation](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service.html). To handle regional failure scenarios, when you configure the sign-in endpoint, we recommend that you enable both the non-regional endpoint and multiple regional endpoints for all Regions you operate in to improve federation resiliency. When configuring the ACS URL for this emergency access, we recommend that you use the regional endpoint of a different Region than the one that your IAM Identity Center is deployed in. Refer to [Sign-in endpoints](https://docs.aws.amazon.com/general/latest/gr/signin-service.html) in the _AWS General Reference_ for the list of regional endpoints. @@ -23 +23 @@ In the figure above, the `role` variable is for the emergency operations role in - 7. In the emergency access account, [configure a custom trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) that provides the permissions required for the emergency access role to be assumed during a disruption. Following is an example statement for a custom **trust policy** that is attached to the `EmergencyAccess_Role1_RO` role. For an illustration, see the emergency account in the diagram under [How to design e mergency role, account, and group mapping ](./emergency-access-mapping-design.html). + 7. In the emergency access account, [configure a custom trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) that provides the permissions required for the emergency access role to be assumed during a disruption. Following is an example statement for a custom **trust policy** that is attached to the `EmergencyAccess_Role1_RO` role. For an illustration, see the emergency account in the diagram under [How to design emergency role, account, and group mapping ](./emergency-access-mapping-design.html). Replace the sample SAML provider ARN with the correct one you have created in the emergency access account. Replace the regional endpoints in the example with those regions of your choice. @@ -127 +127 @@ Return to normal operations -Security +One-time setup of a direct IAM federation application with ADFS