AWS prescriptive-guidance documentation change
Summary
Added support for ML-DSA certificates alongside X.509 certificates in certificate-based authentication documentation
Security assessment
The change adds ML-DSA as a supported certificate type for authentication but doesn't indicate any security vulnerability being fixed. It enhances documentation about cryptographic security features.
Diff
diff --git a/prescriptive-guidance/latest/certificate-based-access-controls/concepts.md b/prescriptive-guidance/latest/certificate-based-access-controls/concepts.md index 66dce49b0..51d91ca12 100644 --- a//prescriptive-guidance/latest/certificate-based-access-controls/concepts.md +++ b//prescriptive-guidance/latest/certificate-based-access-controls/concepts.md @@ -9 +9 @@ Least privilegeCertificate-based authenticationTrust anchors and trust modelsTem -# Key concepts for using certificate-based access controls in AWS +# Key concepts @@ -11 +11 @@ Least privilegeCertificate-based authenticationTrust anchors and trust modelsTem -Certificate-based access controls in AWS require understanding several interdependent authentication and authorization concepts. For example, the principle of least privilege determines the scope of permissions granted through certificate-based authentication, which directly affects AWS Identity and Access Management (IAM) role and policy design. Certificate-based authentication itself relies on X.509 certificate validation against configured trust anchors, which define the cryptographic trust chain for certificate verification. The temporary security credentials generated through this process have specific lifecycle characteristics that impact session management and credential rotation strategies. Additionally, AWS Identity and Access Management Roles Anywhere implements a dual-layer permission model where both IAM role policies and profile configurations must authorize access. Without understanding how these concepts interact, implementations can result in authentication failures, over-privileged access, or security gaps in the certificate-validation chain. These concepts form the technical foundation required to correctly configure trust relationships, permission boundaries, and credential lifecycles in certificate-based AWS access control systems. +Certificate-based access controls in AWS require understanding several interdependent authentication and authorization concepts. For example, the principle of least privilege determines the scope of permissions granted through certificate-based authentication, which directly affects AWS Identity and Access Management (IAM) role and policy design. Certificate-based authentication itself relies on digital certificate (X.509 or ML-DSA) validation against configured trust anchors, which define the cryptographic trust chain for certificate verification. The temporary security credentials generated through this process have specific lifecycle characteristics that impact session management and credential rotation strategies. Additionally, AWS Identity and Access Management Roles Anywhere implements a dual-layer permission model where both IAM role policies and profile configurations must authorize access. Without understanding how these concepts interact, implementations can result in authentication failures, over-privileged access, or security gaps in the certificate-validation chain. These concepts form the technical foundation required to correctly configure trust relationships, permission boundaries, and credential lifecycles in certificate-based AWS access control systems. @@ -13 +13 @@ Certificate-based access controls in AWS require understanding several interdepe -###### This section contains the following topics: +**This section contains the following topics:** @@ -49 +49 @@ Implementing the least privilege in AWS offers the following benefits: -Certificate-based authentication uses digital certificates to verify the identity of a device, service, or application. X.509 certificates contain attributes that identify the entity and are signed by a trusted certificate authority. This authentication method eliminates the need for static credentials and provides a cryptographically secure way to establish trust. +Certificate-based authentication uses digital certificates to verify the identity of a device, service, or application. Digital certificates (X.509 or ML-DSA) contain attributes that identify the entity and are signed by a trusted certificate authority. This authentication method eliminates the need for static credentials and provides a cryptographically secure way to establish trust. @@ -51 +51 @@ Certificate-based authentication uses digital certificates to verify the identit -Whereas identity-based authentication relies on credentials that are directly associated with an IAM [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) or [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html), certificate-based authentication uses X.509 certificates to establish identity. Certificate-based authentication offers advantages in hybrid environments by providing a stronger security posture, automated credential rotation, and the ability to encode attributes that can be used for fine-grained access control. +Whereas identity-based authentication relies on credentials that are directly associated with an IAM [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) or [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html), certificate-based authentication uses digital certificates (X.509 or ML-DSA) to establish identity. Certificate-based authentication offers advantages in hybrid environments by providing a stronger security posture, automated credential rotation, and the ability to encode attributes that can be used for fine-grained access control.