AWS prescriptive-guidance documentation change
Summary
Updated image path and removed detailed OPA data retrieval flow descriptions (bundle/dynamic data methods and replicator process)
Security assessment
Changes are organizational (image path update) and content simplification. The removed technical details about OPA data flows don't indicate security fixes or introduce security guidance.
Diff
diff --git a/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/external-data-opa.md b/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/external-data-opa.md index ff67a8066..3827aa419 100644 --- a//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/external-data-opa.md +++ b//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/external-data-opa.md @@ -57,25 +57 @@ When you fetch external data by using bundling, replication, or a dynamic pull a - - -**Retrieving external data for OPA flow – bundle or dynamic data retrieval at decision time** (illustrated with red numbered callouts in the diagram): - - 1. OPA calls the local API endpoint for the authorization service, which is configured as a bundle endpoint or the endpoint for dynamic data retrieval during authorization decisions. - - 2. The authorization service queries or calls the external data source to retrieve external data. (For a bundle endpoint, this data should also contain OPA policies and rules. Bundle updates replace everything—both data and policies—in OPA's cache.) - - 3. The authorization service performs any transformation necessary on the returned data to turn it into the expected JSON input. - - 4. The data is returned to OPA. It is cached in memory for bundle configuration and used immediately for dynamic authorization decisions. - - - - -**Retrieving external data for OPA flow – replicator** (illustrated with blue numbered callouts in the diagram): - - 1. The replicator (part of the authorization service) calls the external data source and retrieves any data to be updated in OPA. This can include policies, rules, and external data. This call can be on a set cadence, or it can happen in response to data updates in the external source. - - 2. The authorization service performs any transformations necessary on the returned data to turn it into the expected JSON input. - - 3. The authorization service calls OPA and caches the data in memory. The authorization service can selectively update data, policies, and rules. - - - +