AWS quick documentation change
Summary
Added new regions (eu-south-2, il-central-1, me-central-1) to IAM Identity Center requirements; restructured admin permissions table with detailed IAM requirements; clarified irreversible actions section.
Security assessment
The changes enhance documentation of IAM permissions and access controls but don't address a specific vulnerability. The restructured permissions table provides clearer security guidance about admin actions requiring IAM privileges, improving security posture through better access control documentation.
Diff
diff --git a/quick/latest/userguide/setting-up-sso.md b/quick/latest/userguide/setting-up-sso.md index a7d80d836..94cd48904 100644 --- a//quick/latest/userguide/setting-up-sso.md +++ b//quick/latest/userguide/setting-up-sso.md @@ -47,0 +48,2 @@ In the regions listed below, Amazon Quick accounts can only use [IAM Identity Ce + * `eu-south-2` Europe (Spain) + @@ -49,0 +52,4 @@ In the regions listed below, Amazon Quick accounts can only use [IAM Identity Ce + * `il-central-1` Israel (Tel Aviv) + + * `me-central-1` Middle East (UAE) + @@ -84,15 +90,31 @@ To learn more how to sign up for an Amazon Quick account with IAM Identity Cente -Admin action | IAM permissions | Amazon Quick admin role permissions ----|---|--- -**Manage assets** | Yes | No -**Security & permissions** | Yes | No -**Manage VPC connections** | Yes | No -**KMS keys** | Yes | No -**Account settings** | Yes | No -**Account customization** | No | Yes -**Manage users** | Yes (IAM Identity Center users) | Yes (Amazon Quick and IAM users) -**Your subscriptions** | No | Yes -**Mobile settings** | No | Yes -**Domains and embedding** | No | Yes -**SPICE capacity** | No | Yes - -The Amazon Quick mobile app is not supported with Amazon Quick accounts that are integrated with IAM Identity Center. +The following table lists admin actions and whether they require IAM permissions. + +Admin action | IAM permissions required +---|--- +**Account settings** | Yes +**Manage assets** | Yes +**Amazon Q** | Yes +**Manage subscriptions** | No +**SPICE capacity** | No +**Index capacity** | Yes +**Manage users (view)** | No +**Manage users > Role groups** | Yes +**Manage domains** | No +**Mobile settings** | No +**Manage IP/VPC restrictions** | Yes +**Manage VPC connections** | Yes +**Manage OAuth client applications** | Yes +**KMS keys** | Yes +**AWS resources** | Yes +**Default access policy** | Yes +**IAM policy assignments** | Yes +**AWS actions** | Yes +**Extension access** | Yes +**Custom permissions** | Yes +**Configure SageMaker** | Yes +**Brand customization** | Yes +**Agent customization** | Yes +**Email customization** | Yes +**Quick Usage Metrics** | Yes + +If you have the Amazon Quick admin role, you can perform actions that do not require IAM permissions. To perform actions that require IAM permissions, sign in to the AWS Management Console as an IAM principal with the appropriate `quicksight:*` permissions. You can also perform some admin actions programmatically through the Amazon Quick API. For a list of available API operations, see the [Amazon Quick API Reference](https://docs.aws.amazon.com/quicksight/latest/APIReference/Welcome.html). @@ -102 +124,3 @@ The Amazon Quick mobile app is not supported with Amazon Quick accounts that are -The following actions permanently remove the ability for Amazon Quick users to sign into Amazon Quick. Amazon Quick does not recommend that Amazon Quick users perform these actions. +###### Irreversible actions + +The following actions permanently prevent all users from signing in to your Amazon Quick account. You cannot undo these actions.