AWS Security ChangesHomeSearch

AWS quick documentation change

Service: quick · 2026-05-01 · Documentation low

File: quick/latest/userguide/quick-action-auth.md

Summary

Updated authentication documentation to rename and reorganize authentication methods: changed from 'Managed authentication (3LO)/Custom user-based authentication/API key authentication/Service-to-service authentication' to 'Default OAuth app/Custom OAuth app/Service-to-Service OAuth/API key authentication'. Added detailed setup processes and clarified that authentication methods depend on specific connectors.

Security assessment

This change reorganizes and clarifies authentication methods for Amazon Quick action connectors. It adds security documentation by providing more detailed setup processes for OAuth methods and clarifying credential requirements. However, there is no concrete evidence of addressing a specific security vulnerability or incident - this appears to be a documentation restructuring and clarification update. The changes improve security awareness by better explaining authentication options and their use cases.

Diff

diff --git a/quick/latest/userguide/quick-action-auth.md b/quick/latest/userguide/quick-action-auth.md
index 24b41be88..fe2871f8e 100644
--- a//quick/latest/userguide/quick-action-auth.md
+++ b//quick/latest/userguide/quick-action-auth.md
@@ -7 +7 @@
-Managed authentication (3LO)Custom user-based authenticationAPI key authenticationService-to-service authentication
+Default OAuth appCustom OAuth appService-to-Service OAuthAPI key authentication
@@ -11 +11 @@ Managed authentication (3LO)Custom user-based authenticationAPI key authenticati
-Amazon Quick supports multiple authentication methods, each designed for specific use cases and security requirements.
+Amazon Quick supports multiple authentication methods for action connectors. The available methods depend on the specific connector. During setup, you choose your authentication method from the **OAuth Configuration** options or from the connector-specific authentication settings.
@@ -13 +13 @@ Amazon Quick supports multiple authentication methods, each designed for specifi
-## Managed authentication (3LO)
+## Default OAuth app
@@ -15 +15 @@ Amazon Quick supports multiple authentication methods, each designed for specifi
-Three-Legged OAuth (3LO) is the recommended authentication method for personal access to third-party services.
+Default OAuth app (also known as managed authentication or 3LO) is the recommended authentication method for personal access to third-party services. With this method, Amazon Quick manages the OAuth flow and no additional credentials are required from your organization.
@@ -17 +17 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-**Key features of 3LO:**
+**Key features:**
@@ -19 +19 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-  * No initial configuration required.
+  * No additional credentials or configuration required.
@@ -21 +21 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-  * User-specific authentication.
+  * User-specific authentication through provider sign-in.
@@ -23 +23 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-  * Secure credential storage.
+  * Secure credential storage managed by Amazon Quick.
@@ -32,9 +32 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-**3LO setup process:**
-
-  1. Select connector.
-
-  2. Choose managed authentication.
-
-  3. Complete service provider login.
-
-  4. Grant requested permissions.
+**Setup process:**
@@ -42 +34 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-  5. Confirm connection.
+  1. Choose **Default OAuth app** as your OAuth configuration.
@@ -43,0 +36 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
+  2. Complete the service provider sign-in flow.
@@ -44,0 +38 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
+  3. Grant the requested permissions.
@@ -45,0 +40 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
+  4. Confirm the connection.
@@ -47,7 +41,0 @@ Three-Legged OAuth (3LO) is the recommended authentication method for personal a
-## Custom user-based authentication
-
-For scenarios that require specific organizational control or custom configuration.
-
-**Required information:**
-
-  * Client ID.
@@ -55 +42,0 @@ For scenarios that require specific organizational control or custom configurati
-  * Client Secret.
@@ -57 +43,0 @@ For scenarios that require specific organizational control or custom configurati
-  * Domain URL.
@@ -59 +45 @@ For scenarios that require specific organizational control or custom configurati
-  * Authorization URL.
+###### Note
@@ -61 +47 @@ For scenarios that require specific organizational control or custom configurati
-  * Token URL.
+Not all connectors support Default OAuth app. Check the connector-specific documentation for available authentication methods.
@@ -63 +49 @@ For scenarios that require specific organizational control or custom configurati
-  * Redirect URL.
+## Custom OAuth app
@@ -64,0 +51 @@ For scenarios that require specific organizational control or custom configurati
+Custom OAuth app authentication is for organizations that require specific control over the OAuth application configuration. Like Default OAuth app, this method uses a three-legged OAuth (3LO) flow where users sign in directly with the service provider. The difference is that you provide your own OAuth credentials instead of using the Amazon Quick managed application.
@@ -65,0 +53 @@ For scenarios that require specific organizational control or custom configurati
+**Required information:**
@@ -66,0 +55 @@ For scenarios that require specific organizational control or custom configurati
+  * Client ID
@@ -68,5 +57 @@ For scenarios that require specific organizational control or custom configurati
-**Configuration steps:**
-
-  1. Obtain credentials from service provider.
-
-  2. Configure authentication settings.
+  * Client Secret
@@ -74 +59 @@ For scenarios that require specific organizational control or custom configurati
-  3. Validate connection.
+  * Domain URL
@@ -76 +61 @@ For scenarios that require specific organizational control or custom configurati
-  4. Test access permissions.
+  * Authorization URL
@@ -77,0 +63 @@ For scenarios that require specific organizational control or custom configurati
+  * Token URL
@@ -78,0 +65 @@ For scenarios that require specific organizational control or custom configurati
+  * Redirect URL
@@ -81 +67,0 @@ For scenarios that require specific organizational control or custom configurati
-When configuring user-based authentication in the Amazon Quick console, obtain the proper credentials from your service provider and configure your authentication settings. Then validate the connection and test your access permissions.
@@ -83 +68,0 @@ When configuring user-based authentication in the Amazon Quick console, obtain t
-## API key authentication
@@ -85 +70 @@ When configuring user-based authentication in the Amazon Quick console, obtain t
-Used primarily for automated workflows and system-level access.
+**Setup process:**
@@ -87 +72 @@ Used primarily for automated workflows and system-level access.
-**Key features:**
+  1. Create an OAuth application in your service provider's developer console.
@@ -89 +74 @@ Used primarily for automated workflows and system-level access.
-  * Simple token-based authentication.
+  2. Choose **Custom OAuth app** as your OAuth configuration.
@@ -91 +76 @@ Used primarily for automated workflows and system-level access.
-  * Single credential management.
+  3. Enter the credentials from your OAuth application.
@@ -93 +78 @@ Used primarily for automated workflows and system-level access.
-  * Service-level permissions.
+  4. Complete the sign-in flow and validate the connection.
@@ -95 +79,0 @@ Used primarily for automated workflows and system-level access.
-  * Suitable for automated processes.
@@ -98,0 +83 @@ Used primarily for automated workflows and system-level access.
+## Service-to-Service OAuth
@@ -100 +85 @@ Used primarily for automated workflows and system-level access.
-**Setup requirements:**
+Service-to-Service OAuth uses client credentials for server-to-server authentication without user interaction. This method is suitable for automated workflows and shared connectors where actions run under a service account.
@@ -102 +87 @@ Used primarily for automated workflows and system-level access.
-When setting up API Key authentication, ensure that you have the following:
+**Required information:**
@@ -104 +89 @@ When setting up API Key authentication, ensure that you have the following:
-  * Valid API key from service.
+  * Client ID
@@ -106 +91 @@ When setting up API Key authentication, ensure that you have the following:
-  * Appropriate service permissions.
+  * Client Secret
@@ -108 +93 @@ When setting up API Key authentication, ensure that you have the following:
-  * Secret storage configuration.
+  * Domain URL
@@ -109,0 +95 @@ When setting up API Key authentication, ensure that you have the following:
+  * Token URL
@@ -110,0 +97 @@ When setting up API Key authentication, ensure that you have the following:
+  * Service-specific parameters (varies by connector)
@@ -113 +99,0 @@ When setting up API Key authentication, ensure that you have the following:
-## Service-to-service authentication
@@ -115 +100,0 @@ When setting up API Key authentication, ensure that you have the following:
-For automated workflows that require complex authentication.
@@ -117 +102 @@ For automated workflows that require complex authentication.
-**Configuration requirements:**
+## API key authentication
@@ -119 +104 @@ For automated workflows that require complex authentication.
-  * Client ID.
+Some connectors support API key authentication for service-level access. This method uses a single token for authentication and is common for connectors that don't support OAuth.
@@ -121 +106 @@ For automated workflows that require complex authentication.
-  * Client Secret.
+**Required information:**
@@ -123 +108 @@ For automated workflows that require complex authentication.
-  * Domain URL.
+  * Valid API key from the service provider
@@ -125 +110 @@ For automated workflows that require complex authentication.
-  * Token URL.
+  * Base URL or domain
@@ -127 +112 @@ For automated workflows that require complex authentication.
-  * Service-specific parameters.
+  * Service-specific parameters (such as email or account ID)