AWS signin medium security documentation change
Summary
Added IPv4 and dual-stack domain allowlists for web-content filtering solutions
Security assessment
Explicitly documents security-critical domains required for AWS portal access, including threat mitigation endpoints. This addresses potential service disruptions caused by overzealous firewalls and helps maintain secure access to AWS services.
Diff
diff --git a/signin/latest/userguide/allowlist-domains.md b/signin/latest/userguide/allowlist-domains.md index 22123cb27..f21e4c3d0 100644 --- a//signin/latest/userguide/allowlist-domains.md +++ b//signin/latest/userguide/allowlist-domains.md @@ -33,0 +34,4 @@ If you filter access to specific AWS domains or URL endpoints by using a web con +The following lists provide the IPv4 and dual-stack domains and URL endpoints to add to your web-content filtering solution allowlists. For more information about dual-stack endpoints, see [Update firewalls and gateways to allow access to the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center-portal-access.html) in the _IAM Identity Center User Guide_. + +###### IPv4 allow list + @@ -35,0 +40,2 @@ If you filter access to specific AWS domains or URL endpoints by using a web con + * ``[IAM Identity Center instance ID]`.`[Region]`.portal.amazonaws.com` + @@ -52,0 +59,33 @@ If you filter access to specific AWS domains or URL endpoints by using a web con +###### Dual-stack allow list + + * ``[IAM Identity Center instance ID]`.portal.`[Region]`.app.aws` + + * `*.aws.dev` + + * `*.awsstatic.com` + + * `*.console.aws.a2z.com` + + * `oidc.`[Region]`.api.aws` + + * `sso.`[Region]`.api.aws` + + * `portal.sso.`[Region]`.api.aws` + + * ``[Region]`.sso.signin.aws` + + * ``[Region]`.signin.aws.amazon.com` + + * `signin.aws.amazon.com` + + * `*.cloudfront.net` + + * `cdn.us-east-1.threat-mitigation.aws.amazon.com` + + * `us-east-1.threat-mitigation.aws.amazon.com` + + * `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com` + + + +