AWS prescriptive-guidance documentation change
Summary
Updated breadcrumb navigation link, removed hyperlink from STS reference, reformatted group example from bullet to paragraph, and fixed apostrophe typo in MFA section.
Security assessment
Changes are editorial/non-substantive: link corrections, formatting adjustments, and typo fixes. No modifications to security recommendations (e.g., MFA/STS guidance remains unchanged). No evidence of vulnerability remediation or new security content.
Diff
diff --git a/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/add-initial-users.md b/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/add-initial-users.md index b99beb2ae..f12fcb254 100644 --- a//prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/add-initial-users.md +++ b//prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/add-initial-users.md @@ -5 +5 @@ -[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Transitioning to multiple AWS accounts](welcome.html) +[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Transitioning to multiple AWS accounts](introduction.html) @@ -20 +20 @@ There are two ways to grant people access to AWS accounts: -In smaller companies and single-account environments, it is common for administrators to create an IAM user when a new person joins the company. The access key and secret key credentials associated to an IAM user are known as _long-term credentials_ because they don't expire. However, this isn't a recommended security best practice because if an attacker compromised those credentials, you would have to generate a new set of credentials for the user. Another approach for accessing AWS accounts is through [IAM roles](https://aws.amazon.com/blogs/startups/how-setting-up-iam-users-and-iam-roles-can-help-keep-your-startup-secure/). You can also use [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) (AWS STS) to temporarily request _short-term credentials_ , which expire after a configurable amount of time. +In smaller companies and single-account environments, it is common for administrators to create an IAM user when a new person joins the company. The access key and secret key credentials associated to an IAM user are known as _long-term credentials_ because they don't expire. However, this isn't a recommended security best practice because if an attacker compromised those credentials, you would have to generate a new set of credentials for the user. Another approach for accessing AWS accounts is through [IAM roles](https://aws.amazon.com/blogs/startups/how-setting-up-iam-users-and-iam-roles-can-help-keep-your-startup-secure/). You can also use AWS Security Token Service (AWS STS) to temporarily request _short-term credentials_ , which expire after a configurable amount of time. @@ -36 +36 @@ IAM Identity Center also supports federation from external identity providers (I - * For example, for the group `AWS-A-dev-nonprod-DeveloperAccess`, `AWS-A` is a prefix that indicates access to a single account, `dev-nonprod` is the name of the account, and `DeveloperAccess` is the permission set assigned to the group. For the group `AWS-O-BillingAccess`, the `AWS-O` prefix indicates access to the entire organization, and `BillingAccess` indicates the permission set for the group. In this example, because the group has access to the entire organization, an account name isn't represented in the group name. +For example, for the group `AWS-A-dev-nonprod-DeveloperAccess`, `AWS-A` is a prefix that indicates access to a single account, `dev-nonprod` is the name of the account, and `DeveloperAccess` is the permission set assigned to the group. For the group `AWS-O-BillingAccess`, the `AWS-O` prefix indicates access to the entire organization, and `BillingAccess` indicates the permission set for the group. In this example, because the group has access to the entire organization, an account name isn't represented in the group name. @@ -40 +40 @@ IAM Identity Center also supports federation from external identity providers (I -Many IdPs, such as Microsoft Azure Active Directory and Okta, can use the Authentication Method Reference (`amr`) claim inside a SAML assertion to pass the user’s MFA status to IAM Identity Center. The claim used to assert MFA status and its format varies by IdP. For more information, see the documentation for your IdP. +Many IdPs, such as Microsoft Azure Active Directory and Okta, can use the Authentication Method Reference (`amr`) claim inside a SAML assertion to pass the user's MFA status to IAM Identity Center. The claim used to assert MFA status and its format varies by IdP. For more information, see the documentation for your IdP.