AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/saas-multitenant-api-access-authorization/avp-mt-abac-examples.md

Summary

Updated image path and added italics formatting in authorization example.

Security assessment

Formatting tweaks and image relocation; no changes to ABAC/RBAC security policies or vulnerability mitigations.

Diff

diff --git a/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/avp-mt-abac-examples.md b/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/avp-mt-abac-examples.md
index dd7a82097..7b22e224b 100644
--- a//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/avp-mt-abac-examples.md
+++ b//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/avp-mt-abac-examples.md
@@ -13 +13 @@ Using the Per Tenant Policy Store design pattern is a best practice for maintain
-![Example of multi-tenant access control with RBAC, Amazon Verified Permissions, and Cedar](/images/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/images/avp-example-3.png)
+![Example of multi-tenant access control with RBAC, Amazon Verified Permissions, and Cedar](/images/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/images/guide-img/1bc1ddcc-09fb-41af-88b1-99d94e62fa1f/images/d4bab8ae-41ac-4206-978a-741397a733dd.png)
@@ -45 +45 @@ This second policy mandates that principals that are a part of the `viewDataRole
-The authorization request made from Tenant A needs to be sent to the `DATAMICROSERVICE_POLICYSTORE_A` policy store and verified by the policies that belong to that store. In this case, it's verified by the first policy discussed earlier as part of this example. In this authorization request, the principal of type `User` with a value of `Alice` is requesting to perform the `viewData` action. The principal belongs to the group `allAccessRole` of type `Role`. Alice is trying to perform the `viewData` action on the `SampleData` resource. Because Alice has the `allAccessRole` role, this evaluation results in an `ALLOW` decision.
+The authorization request made from Tenant A needs to be sent to the `DATAMICROSERVICE_POLICYSTORE_A` policy store and verified by the policies that belong to that store. In this case, it's verified by the first policy discussed earlier as part of this example. In this authorization request, the principal of type `User` with a value of `Alice` is requesting to perform the `viewData` action _._ The principal belongs to the group `allAccessRole` of type `Role`. Alice is trying to perform the `viewData` action on the `SampleData` resource _._ Because Alice has the `allAccessRole` role, this evaluation results in an `ALLOW` decision.