AWS prescriptive-guidance documentation change
Summary
Updated image paths and removed detailed flow descriptions for OPA implementation models
Security assessment
Content reorganization and image path updates without evidence of security fixes or new security guidance
Diff
diff --git a/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/using-opa.md b/prescriptive-guidance/latest/saas-multitenant-api-access-authorization/using-opa.md index 85e389a4a..abd38dd8f 100644 --- a//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/using-opa.md +++ b//prescriptive-guidance/latest/saas-multitenant-api-access-authorization/using-opa.md @@ -26,29 +26 @@ This model uses a centralized PDP to make authorization decisions. PEPs are impl - - -**Application flow** (illustrated with blue numbered callouts in the diagram): - - 1. An authenticated user with a JWT generates an HTTP request to Amazon CloudFront. - - 2. CloudFront forwards the request to Amazon API Gateway, which is configured as a CloudFront origin. - - 3. An API Gateway custom authorizer is called to verify the JWT. - - 4. Microservices respond to the request. - - - - -**Authorization and API access control flow** (illustrated with red numbered callouts in the diagram): - - 1. The PEP calls the authorization service and passes request data, including any JWTs. - - 2. The authorization service (PDP) takes the request data and queries an OPA agent REST API, which is running as a sidecar. The request data serves as an input to the query. - - 3. OPA evaluates the input based on the relevant policies specified by the query. Data is imported to make an authorization decision if necessary. - - 4. OPA returns a decision to the authorization service. - - 5. The authorization decision is returned to the PEP and evaluated. - - - + @@ -81,29 +53 @@ The following diagram shows how this combination of a centralized PDP and a dist - - -**Application flow** (illustrated with blue numbered callouts in the diagram): - - 1. An authenticated user with a JWT generates an HTTP request to Amazon CloudFront. - - 2. CloudFront forwards the request to Amazon API Gateway, which is configured as a CloudFront origin. - - 3. An API Gateway custom authorizer is called to verify the JWT. - - 4. Microservices respond to the request. - - - - -**Authorization and API access control flow** (illustrated with red numbered callouts in the diagram): - - 1. The PEP calls the authorization service and passes request data, including any JWTs. - - 2. The authorization service (PDP) takes the request data and queries an OPA agent REST API, which is running as a sidecar. The request data serves as an input to the query. - - 3. OPA evaluates the input based on the relevant policies specified by the query. Data is imported to make an authorization decision if necessary. - - 4. OPA returns a decision to the authorization service. - - 5. The authorization decision is returned to the PEP and evaluated. - - - + @@ -127 +71 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Using Amazon Verified Permissions +Design models for Amazon Verified Permissions