AWS prescriptive-guidance documentation change
Summary
Updated image paths and formatting changes (backticks to italics) for ABAC/RBAC example documentation
Security assessment
Changes involve formatting adjustments (markdown syntax for code/emphasis) and image path updates. The account_lockout_flag example already existed and the modification only changes presentation format, not security functionality. No evidence of addressing vulnerabilities or new security guidance.
Diff
diff --git a/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md b/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md index 53082e722..aa9f9a813 100644 --- a//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md +++ b//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/opa-abac-rbac-examples.md @@ -11 +11 @@ To enhance the RBAC example in the previous section, you can add attributes to u - + @@ -13 +13 @@ To enhance the RBAC example in the previous section, you can add attributes to u -This example includes the same roles from the previous example, but adds the user attribute `account_lockout_flag`. This is a user-specific attribute that isn't associated with any particular role. You can use the same RBAC external data that you used previously for this example: +This example includes the same roles from the previous example, but adds the user attribute _account_lockout_flag_. This is a user-specific attribute that isn't associated with any particular role. You can use the same RBAC external data that you used previously for this example: @@ -28 +28 @@ This example includes the same roles from the previous example, but adds the use -The `account_lockout_flag` user attribute can be passed to the Data service as part of the input to an OPA query for `/viewData/tenant_a` for the user Bob: +The _account_lockout_flag_ user attribute can be passed to the Data service as part of the input to an OPA query for _/viewData/tenant_a_ for the user Bob: @@ -39 +39 @@ The `account_lockout_flag` user attribute can be passed to the Data service as p -The rule that is queried for the access decision is similar to the previous examples, but includes an additional line to check for the `account_lockout_flag` attribute: +The rule that is queried for the access decision is similar to the previous examples, but includes an additional line to check for the _account_lockout_flag_ attribute: @@ -52 +52 @@ The rule that is queried for the access decision is similar to the previous exam -This query returns an authorization decision of `false`. This is because the `account_lockout_flag attribute` is `true` for Bob, and the Rego rule `allowViewData` denies access although Bob has the correct role and tenant. +This query returns an authorization decision of _false_. This is because the _account_lockout_flag attribute_ is _true for Bob_ , and the Rego rule _allowViewData_ denies access although Bob has the correct role and tenant.