AWS controltower medium security documentation change
Summary
Removed 'sso:GetPeregrineStatus' permission from Account Factory role requirements and updated explanatory text
Security assessment
Removing unnecessary permissions follows the principle of least privilege, reducing potential attack surface. The explicit removal of 'sso:GetPeregrineStatus' indicates this permission was identified as excessive, mitigating risks of over-privileged roles which could be exploited in privilege escalation attacks.
Diff
diff --git a/controltower/latest/userguide/roles-how.md b/controltower/latest/userguide/roles-how.md index ef4eee900..21a833276 100644 --- a//controltower/latest/userguide/roles-how.md +++ b//controltower/latest/userguide/roles-how.md @@ -313,6 +312,0 @@ If you're provisioning accounts using Lambda functions, the identity that will p -JSON - - -**** - - @@ -336 +329,0 @@ JSON - "sso:GetPeregrineStatus", @@ -366,2 +359 @@ JSON - -The permissions `sso:GetPeregrineStatus`, `sso:ProvisionApplicationInstanceForAWSAccount`, `sso:ProvisionApplicationProfileForAWSAccountInstance`, and `sso:ProvisionSAMLProvide` are required by AWS Control Tower Account Factory to interact with AWS IAM Identity Center. +The permissions `sso:ProvisionApplicationInstanceForAWSAccount`, `sso:ProvisionApplicationProfileForAWSAccountInstance`, and `sso:ProvisionSAMLProvider` are required by AWS Control Tower Account Factory to interact with AWS IAM Identity Center.