AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md

Summary

Updated image paths and formatting changes (backticks to italics) for ABAC/RBAC example documentation

Security assessment

Changes involve formatting adjustments (markdown syntax for code/emphasis) and image path updates. The account_lockout_flag example already existed and the modification only changes presentation format, not security functionality. No evidence of addressing vulnerabilities or new security guidance.

Diff

diff --git a/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md b/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md
index 53082e722..aa9f9a813 100644
--- a//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md
+++ b//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md
@@ -11 +11 @@ To enhance the RBAC example in the previous section, you can add attributes to u
-![RBAC and ABAC with OPA and Rego](/images/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/images/opa-example-3.png)
+![RBAC and ABAC with OPA and Rego](/images/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/images/guide-img/1bc1ddcc-09fb-41af-88b1-99d94e62fa1f/images/976d9ba1-5fc0-4022-9698-3f971d60d314.png)
@@ -13 +13 @@ To enhance the RBAC example in the previous section, you can add attributes to u
-This example includes the same roles from the previous example, but adds the user attribute `account_lockout_flag`. This is a user-specific attribute that isn't associated with any particular role. You can use the same RBAC external data that you used previously for this example: 
+This example includes the same roles from the previous example, but adds the user attribute _account_lockout_flag_. This is a user-specific attribute that isn't associated with any particular role. You can use the same RBAC external data that you used previously for this example: 
@@ -28 +28 @@ This example includes the same roles from the previous example, but adds the use
-The `account_lockout_flag` user attribute can be passed to the Data service as part of the input to an OPA query for `/viewData/tenant_a` for the user Bob:
+The _account_lockout_flag_ user attribute can be passed to the Data service as part of the input to an OPA query for _/viewData/tenant_a_ for the user Bob:
@@ -39 +39 @@ The `account_lockout_flag` user attribute can be passed to the Data service as p
-The rule that is queried for the access decision is similar to the previous examples, but includes an additional line to check for the `account_lockout_flag` attribute:
+The rule that is queried for the access decision is similar to the previous examples, but includes an additional line to check for the _account_lockout_flag_ attribute:
@@ -52 +52 @@ The rule that is queried for the access decision is similar to the previous exam
-This query returns an authorization decision of `false`. This is because the `account_lockout_flag attribute` is `true` for Bob, and the Rego rule `allowViewData` denies access although Bob has the correct role and tenant.
+This query returns an authorization decision of _false_. This is because the _account_lockout_flag attribute_ is _true for Bob_ , and the Rego rule _allowViewData_ denies access although Bob has the correct role and tenant.