AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/shared-services.md

Summary

Removed survey link; updated image path; restructured design considerations for Directory Service and IAM Identity Center, including adding DISA STIG configuration guidance and updating IAM Identity Center limitations

Security assessment

Added documentation about configuring AWS Managed Microsoft AD to meet DISA STIG security standards, which enhances security guidance but doesn't address a specific vulnerability. No evidence of patching a security incident.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/shared-services.md b/prescriptive-guidance/latest/security-reference-architecture/shared-services.md
index 412b47ef4..8886619fb 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/shared-services.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/shared-services.md
@@ -11,3 +10,0 @@ AWS Systems ManagerAWS Managed Microsoft ADIAM Identity Center
-Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua).  
----  
-  
@@ -16 +13 @@ The following diagram illustrates the AWS security services that are configured
-![Security services for Shared Services account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/shared-services-acct.png)
+![Security services for Shared Services account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/guide-img/91d313fc-d5f1-45a8-a5a6-2f4fc7abc93a/images/11172209-47ef-4693-ad0c-64b707925921.png)
@@ -40 +37,7 @@ In the AWS SRA, Directory Service is used within the Shared Services account to
-###### Design consideration
+**Design considerations:**
+
+  * You can grant your on-premises Active Directory users access to sign in to the AWS Management Console and AWS Command Line Interface (AWS CLI) with their existing Active Directory credentials by using IAM Identity Center and selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is to use AWS Managed Microsoft AD to enable your users to assume an IAM role.
+
+  * You can configure AWS Managed Microsoft AD security settings to align with Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) for [Windows Server](https://stigviewer.com/stigs/microsoft_windows_server_2019) and [Active Directory](https://stigviewer.com/stigs/active_directory_domain). You can configure through a self-service interface, both programmatically and through the AWS Management Console. You can now ensure consistent configuration across multiple managed directories by declaring their desired configuration and letting AWS implement and persist these configurations. When expanding to additional regions or scaling out with additional domain controllers, AWS Managed Microsoft AD automatically applies these settings to all new instances.
+
+
@@ -42 +44,0 @@ In the AWS SRA, Directory Service is used within the Shared Services account to
-You can grant your on-premises Active Directory users access to sign in to the AWS Management Console and AWS Command Line Interface (AWS CLI) with their existing Active Directory credentials by using IAM Identity Center and selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is to use AWS Managed Microsoft AD to enable your users to assume an IAM role.
@@ -52 +54 @@ IAM Identity Center supports the registration of a single member account as a de
-###### Design considerations
+**Design considerations:**
@@ -60 +62 @@ IAM Identity Center supports the registration of a single member account as a de
-  * IAM Identity Center currently doesn't provide [multi-Region support](https://docs.aws.amazon.com/singlesignon/latest/userguide/regions.html#region-data). (To enable IAM Identity Center in a different Region, you must first delete your current IAM Identity Center configuration.) Furthermore, it doesn't support the use of different identity sources for different set of accounts or let you delegate permissions management to different parts of your organization (that is, multiple delegated administrators) or to different groups of administrators. If you require any of these features, you can use [IAM federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) to manage your user identities within an identity provider (IdP) outside of AWS and give these external user identities permission to use AWS resources in your account. IAM supports IdPs that are compatible with [OpenID Connect (OIDC)](https://openid.net/connect/) or SAML 2.0. As a best practice, use SAML 2.0 federation with third-party identity providers such as Active Directory Federation Service (AD FS), Okta, Azure Active Directory (Azure AD), or Ping Identity to provide single sign-on capability for users to log into the AWS Management Console or to call AWS API operations. For more information about IAM federation and identity providers, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the IAM documentation.
+  * IAM Identity Center currently doesn't support the use of different identity sources for different set of accounts or let you delegate permissions management to different parts of your organization (that is, multiple delegated administrators) or to different groups of administrators. If you require these features, you can use [IAM federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) to manage your user identities within an identity provider (IdP) outside of AWS and give these external user identities permission to use AWS resources in your account. IAM supports IdPs that are compatible with [OpenID Connect (OIDC)](https://openid.net/connect/) or SAML 2.0. As a best practice, use SAML 2.0 federation with third-party identity providers such as Active Directory Federation Service (AD FS), Okta, Azure Active Directory (Azure AD), or Ping Identity to provide single sign-on capability for users to log into the AWS Management Console or to call AWS API operations. For more information about IAM federation and identity providers, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the IAM documentation[.](https://identity-federation.awssecworkshops.com/)