AWS transfer documentation change
Summary
Added new 'IP addressing' section explaining dual-stack endpoint support for Transfer Family web apps and IAM Identity Center, with guidance on firewall configuration and endpoint identification
Security assessment
This change adds security-related documentation about network connectivity and firewall configuration for IPv4/IPv6 dual-stack endpoints. It provides operational security guidance for organizations using firewalls or network gateways, but doesn't indicate any specific security vulnerability being fixed. The change is proactive security documentation about endpoint management.
Diff
diff --git a/transfer/latest/userguide/webapp-configure.md b/transfer/latest/userguide/webapp-configure.md index 55b21e3ae..fe883fbc0 100644 --- a//transfer/latest/userguide/webapp-configure.md +++ b//transfer/latest/userguide/webapp-configure.md @@ -5 +5 @@ -Create a Transfer Family web app +Create a Transfer Family web appIP addressing @@ -65,0 +66,19 @@ Make sure to set up a Cross-origin resource sharing (CORS) policy for all of the +## IP addressing + +Transfer Family web apps use dual-stack endpoints, supporting both IPv4 and IPv6 connectivity. For authentication, web apps use AWS IAM Identity Center, which also supports IPv6 through dual-stack endpoints. + +If your account had web apps in a Region when dual-stack IAM Identity Center endpoint support launched, all web apps in that account and Region continue to use the IPv4-only IAM Identity Center endpoint for backwards compatibility. This applies to both existing and newly created web apps. Accounts that did not have web apps at the time of launch use the IAM Identity Center dual-stack endpoint. If you need to change which IAM Identity Center endpoint your web app uses, contact AWS Support. + +###### Note + +To determine which endpoint your web app uses, inspect the URL when you are redirected to the IAM Identity Center sign-in page: + + * IPv4-only: `[Region].signin.aws.amazon.com` + + * Dual-stack: `[Region].sso.signin.aws` + + + + +If your organization uses firewalls or network gateways, allowlist both the existing IPv4 and the new dual-stack IAM Identity Center endpoints to ensure uninterrupted access regardless of which endpoint your web apps use. For the full list of domains and URL endpoints to allowlist, see [Update firewalls and gateways to allow access to the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center-portal-access.html) in the _IAM Identity Center User Guide_. +