Updates from 1x1 w CJ

Author: jonathanfrappier

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/centralize-identity-management.mdx

@@ -5,21 +5,29 @@ description: Centralize identity management to manage access and improve securit
 
 # Centralize identity management
 
-Designing and planning policies to manage access is part of a complete identity and access management strategy. A key part of that strategy is to centralize identity management, allowing you to enforce those policies effectively.
+Designing and planning policies to manage access is part of a complete identity
+and access management strategy. A key part of that strategy is to centralize
+identity management, allowing you to enforce those policies effectively.
 
-There are several ways to grant access to systems. Most systems have built-in identity solutions that allow you to create local users and groups. Those users and groups only have access to that specific system. While this approach may seem secure, it does not scale well and may introduce more security risks than centralizing identity management.
+There are several ways to grant access to systems. Most systems have built-in
+identity solutions that allow you to create local users and groups. Those users
+and groups only have access to that specific system. While this approach may
+seem secure, it does not scale well and may introduce more security risks than
+centralizing identity management.
 
 ## What is centralized identity management
 
 Centralizing identity management allows you to manage access to all systems
 from a single location. Solutions like LDAP, Active Directory, or cloud identity
-providers like Okta, Azure Active Directory, or Google Cloud Identity provide a way to
+providers like Okta, Azure EntraID, or Google Cloud Identity provide a way to
 centralize identity management. After you centralize authentication, you then
 integrate the identity provider with other systems and authorize access for those
 users. Each user has a single username and password, but can access the systems
 required to perform their job.
 
-Compare this to having a local user on your laptop. You can log in to the laptop with the local user, but that username and password do not provide access to your email or other systems.
+Compare this to having a local user on your laptop. You can log in to the laptop
+with the local user, but that username and password do not provide access to
+your email or other systems.
 
 ## Why centralize identity management
 
@@ -33,14 +41,31 @@ with a single set of credentials. This approach reduces the risk of password
 fatigue and improves security by reducing the number of passwords that users
 need to remember.
 
-You can deploy HashiCorp Vault to act as an OIDC provider for other systems.
-This gives you complete control over your identity management workflow and
-allows you to expose the OIDC provider based on your security requirements.
+You can deploy HashiCorp Vault to support centralized identity management by:
+
+- **Act as an OIDC provider** - Deploy Vault as an OIDC provider gives you
+  complete control over your identity management workflow and allows you to
+  expose the OIDC provider based on your security requirements.
+- **Generate credentials** - Generate dynamic, short-lived credentials that
+  eliminate static passwords stored in different systems.
+
+Boundary provides identity-aware proxying to infrastructure without exposing
+credentials to end users: 
+
+- **Integrate with identity providers** - Connect Boundary to OIDC providers or
+  Active Directory to authenticate users based on their existing corporate
+  identities.
+- **Role-based access control** - Map users and groups from your identity
+  provider to Boundary roles, controlling which systems each user can access.
+- **Session recording and auditing** - Track which users accessed which systems,
+  creating an audit trail tied to real identities rather than shared
+  credentials.
 
 Most HashiCorp tools and services like the [HashiCorp Cloud
 Platform](https://portal.cloud.hashicorp.com/sign-in), HCP Terraform, Boundary,
 and Vault integrate with third party identity providers natively or through
-OIDC.
+OIDC allowing you to manage access to these tools from your centralized identity
+provider.
 
 HashiCorp resources:
 

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/create-permissions-guardrails.mdx

@@ -23,9 +23,13 @@ Permissions are the specific actions that users, applications, or systems can
 take on resources. Permissions are typically defined in policies and used to
 control access to resources in a system.
 
-You can grant or deny permissions based on various factors, including the user's role, group membership, the resources they access, and the context of the access request. For example, a user may have permission to read data from a database but not to write data to it.
+You can grant or deny permissions based on various factors, including the user's
+role, group membership, the resources they access, and the context of the access
+request. For example, a user may have permission to read data from a database
+but not to write data to it.
 
-The following is an example of a database permission and AWS S3 bucket policy that follows least privilege:
+The following is an example of a database permission and AWS S3 bucket policy
+that follows least privilege:
 
 <CodeBlockConfig hideClipboard>
 
@@ -46,11 +50,18 @@ This AWS IAM policy allows read-only access to download files from the "company-
     "Statement": [
         {
             "Effect": "Allow",
-            "Action": ["s3:GetObject"],
-            "Resource": "arn:aws:s3:::company-reports/*"
+            "Action": [
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::company-reports",
+                "arn:aws:s3:::company-reports/*"
+            ]
         }
-        ]
+    ]
 }
+```
 
 ## Define permissions as code
 
@@ -67,7 +78,12 @@ the HashiCorp Configuration Language (HCL). JSON is another widely supported
 format. HashiCorp Vault supports JSON based policies, in addition to HCL. AWS
 Identity and Access Management (IAM) supports JSON-based policies. Other systems
 like Active Directory may require scripting the policies in other languages like
-PowerShell.
+PowerShell to create Group Policy Objects (GPOs).
+
+Terraform helps you manage your policies for supported tools and services,
+allowing you to define, update, and enforce policies as code. This approach
+ensures that your policies are consistent, auditable, and can be version
+controlled.
 
 HashiCorp resources:
 

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/define-access-requirements.mdx

@@ -5,7 +5,11 @@ description: Identify and collect requirements to help you identify access requi
 
 # Define access requirements
 
-Defining access requirements for your organization is an important step in creating secure systems. Identifying what requirements you need to implement can seem overwhelming. There are steps you can take to simplify identifying the requirements you need and collecting the necessary documentation to implement the access requirements.
+Defining access requirements for your organization is an important step in
+creating secure systems. Identifying what requirements you need to implement can
+seem overwhelming. There are steps you can take to simplify identifying the
+requirements you need and collecting the necessary documentation to implement
+the access requirements.
 
 ## What are access requirements
 
@@ -19,16 +23,18 @@ several sources, including:
 - Local, federal, or international regulatory standards that define data privacy
   and protection (CCPA, Sarbanes-Oxley, GDPR).
 - Current best operational practices that define security controls (SOC 2, NIST,
-  ISO 127001).
+  ISO 27001).
 
 When you understand which regulations and standards apply to your organization, you can
 begin to identify the specific access requirements that you need to implement
 for your systems and teams.
 
 ## How to define access requirements
 
-Start by identifying the regulations and standards that apply to your organization from both an industry and geographic perspective. These regulations often align with specific security practices, such as [NIST SP 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) for access
-control.
+Start by identifying the regulations and standards that apply to your
+organization from both an industry and geographic perspective. These regulations
+often align with specific security practices, such as [NIST SP
+800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) for access control.
 
 Once you have identified and collected the requirements that apply to your
 organization, you need to document those requirements and begin mapping the
@@ -53,6 +59,16 @@ as code](/well-architected-framework/secure-systems/compliance-and-governance/po
 such as policies for Vault or Sentinel to manage access controls across your
 systems.
 
+[Project
+infragraph](https://www.hashicorp.com/en/blog/building-intelligent-infrastructure-automation-with-hashicorp),
+announced at HashiConf 2025, is a real-time infrastructure graph that provides
+visibility into your infrastructure and its relationships. By understanding
+relationships between your resources, you can better define and manage access
+requirements.
+
+You can apply to our private beta for project infragraph
+[here](https://www.hashicorp.com/en/project-infragraph-private-beta).
+
 HashiCorp resources:
 
 - [Access controls with Vault policies](/vault/tutorials/policies/policies)

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/grant-least-privilege.mdx

@@ -39,7 +39,11 @@ While most regulations do not have explicit requirements for least privilege,
 they do require controls that show you have a strong identity and access
 management program.
 
-Consider conventional virtual private network (VPN) solutions, where a user connects to the VPN and gains access to the entire network. If a user’s credentials are compromised, an attacker can access all data on the network. A VPN is generally unable to follow the principle of least privilege because it provides broad access to the network.
+Consider conventional virtual private network (VPN) solutions, where a user
+connects to the VPN and gains access to the entire network. If a user’s
+credentials are compromised, an attacker can access all data on the network. A
+VPN is generally unable to follow the principle of least privilege because it
+provides broad access to the network.
 
 In contrast, a zero trust model with least privilege ensures that users
 have access to the specific resources they need. If a user’s credentials become
@@ -53,14 +57,27 @@ Some examples of documentation at this stage include:
 - Software engineers do not have access to production.
 - Site reliability engineers have access to production, but not permanently.
 - Access to production requires approval and multi-factor authentication (MFA)
-- Logging is enabled and monitored for access to production.
+- Logging enabled and monitoring access to production.
 - Centralized authentication and authorization for all services.
 
 HashiCorp tools and services like [Vault](/vault/tutorials/get-started) and
 [Boundary](/boundary/tutorials/get-started-hcp) allow you to implement least
 privilege access controls, while Terraform helps you manage the policies for
 Vault and Boundary.
 
+With Vault and Boundary, you can provision dynamic credentials allowing users to
+remotely access systems without managing long-lived credentials. When the
+session is complete, Vault revokes the credentials, reducing the risk of
+compromise.
+
+Boundary also allows you to provide access to the specific systems and
+services that users need access to, eliminating access to the entire network
+like conventional VPN solutions do.
+
+Terraform helps you manage the policies for Vault and Boundary, allowing you to
+define, update, and enforce policies as code. This approach ensures that your
+policies are consistent, auditable, and can be version controlled.
+
 HashiCorp resources:
 
 - [Access controls with Vault policies](/vault/tutorials/policies/policies)

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/implement-strong-sign-in-workflows.mdx

@@ -31,7 +31,7 @@ workflows include:
 ## Why implement strong sign-in workflows
 
 Writing policies that follow [least
-privilege](/secure-systems/identity-access-management/grant-least-privilege)
+privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
 ensures that an authorized user does not have access to systems or data they
 should not have access to. It does not, however, ensure that unauthorized users
 have not improperly gained access to credentials that allow authentication to
@@ -40,7 +40,7 @@ those systems or data.
 When you implement strong sign-in workflows, you add another layer of security
 by validating the identity of users before granting access. When you combine
 strong sign-in workflows with [centralized identity 
-management](/secure-systems/identity-access-management/centralize-identity-management),
+management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management),
 you have an authentication model that ensures authorized users have access to systems.
 
 HashiCorp tools and services like the HashiCorp Cloud Platform, Vault, and

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/manage-access-lifecycle.mdx

@@ -13,13 +13,24 @@ environment and reduces the risk of unauthorized access.
 
 ## What is access lifecycle management
 
-Access lifecycle management is the process of managing user accounts and their access permissions throughout their lifecycle, from creation to deprovisioning. The management includes onboarding new users, modifying access as roles change, and removing access when it is no longer needed.
+Access lifecycle management is the process of managing user accounts and their
+access permissions throughout their lifecycle, from creation to deprovisioning.
+The management includes onboarding new users, modifying access as roles change,
+and removing access when it is no longer needed.
 
 ## Why manage access lifecycle
 
-Failing to manage identity and access for users and services can lead to incidents, whether malicious or accidental. For example, if a user leaves the organization or changes roles and their account is not deprovisioned, they may still have access to systems and data to which they are not authorized.
+Failing to manage identity and access for users and services can lead to
+incidents, whether malicious or accidental. For example, if a user leaves the
+organization or changes roles and their account is not deprovisioned, they may
+still have access to systems and data to which they are not authorized.
 
-A publishing company in the 2000s let go of one of its system administrators but failed to deprovision their account in an email system that they had not securely managed. The former employee logged in and forwarded thousands of spam emails to employees, causing a significant disruption to their day. By properly managing accounts from creation through deletion, you can avoid incidents caused by unauthorized access.
+A publishing company in the 2000s let go of one of its system administrators but
+failed to deprovision their account in an email system that they had not
+securely managed. The former employee logged in and forwarded thousands of spam
+emails to employees, causing a significant disruption to their day. By properly
+managing accounts from creation through deletion, you can avoid incidents caused
+by unauthorized access.
 
 By [centralizing identity
 management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management),
@@ -49,6 +60,30 @@ and [rotating
 secrets](/well-architected-framework/secure-systems/secrets/rotate-secrets)
 builds a strong security foundation for your organization.
 
+HashiCorp Vault fundamentally changes how you manage access lifecycle by
+eliminating long-lived credentials:
+
+- **Dynamic secrets** - Instead of creating permanent credentials during user
+  onboarding, Vault generates temporary credentials on-demand when users need
+  access. These credentials automatically expire, removing the need for manual
+  deprovisioning in many scenarios.
+- **Lease management** - Every secret issued by Vault has an associated lease.
+  When a user’s employment ends or their role changes, revoking their Vault
+  token automatically revokes all associated dynamic credentials across
+  databases, cloud providers, and other systems.
+
+HashiCorp Boundary enforces access lifecycle through just-in-time access
+patterns:
+
+- **Session-based access** - Rather than granting permanent access to
+  infrastructure, Boundary creates temporary sessions. When a session ends,
+  access automatically terminates.
+- **Time-limited targets** - Configure targets with expiration times to
+  automatically deprovision access to specific systems after a defined period.
+- **Identity integration** - Connect Boundary to your identity provider so that
+  when you deprovision a user from the identity provider, they lose the ability to
+  create new sessions to infrastructure resources.
+
 HashiCorp resources:
 
 - [Understand static and dynamic secrets](/vault/tutorials/get-started/understand-static-dynamic-secrets)

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/use-dynamic-credentials.mdx

@@ -1,15 +1,21 @@
 ---
 page_title: Use dynamic credentials
-description: Use dynamic credentials to replace long lived accounts that are not used often to improve security.
+description: Use dynamic credentials to replace long-lived accounts that are not used often to improve security.
 ---
 
 # Use dynamic credentials
 
-Strong identity and access management practices are critical to building a secure environment. While some credentials must always be available, others can be dynamic and short-lived, reducing the risk of exposure while enhancing your security posture.
+Strong identity and access management practices are critical to building a
+secure environment. While some credentials must always be available, others can
+be dynamic and short-lived, reducing the risk of exposure while enhancing your
+security posture.
 
 ## What are dynamic credentials
 
-Dynamic credentials are temporary, short-lived credentials generated on demand and automatically expire after a specified period. The credentials are typically used in scenarios where long-lived credentials are not necessary or pose a security risk.
+Dynamic credentials are temporary, short-lived credentials generated on demand
+and automatically expire after a specified period. The credentials are typically
+used in scenarios where long-lived credentials are not necessary or pose a
+security risk.
 
 <VideoEmbed url="https://www.youtube.com/watch?v=1YNDSCcGbcQ"/>
 
@@ -20,7 +26,10 @@ and users, allowing them to authenticate without exposing their long-term creden
 This approach minimizes the attack surface and reduces the likelihood of
 credential theft or misuse.
 
-When a service needs to connect to another service, such as a database, it requires some method to authenticate. Traditionally, this might be a username and password or an API token. When these credentials are available for an extended period, there is a greater potential for them to become compromised.
+When a service needs to connect to another service, such as a database, it
+requires some method to authenticate. Traditionally, this might be a username
+and password or an API token. When these credentials are available for an
+extended period, there is a greater potential for them to become compromised.
 
 <VideoEmbed url="https://www.youtube.com/watch?v=E9XDfOVNN2U"/>
 
@@ -73,6 +82,6 @@ identity and access management program.
 - [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
 
 In this section of **Identity and access management** you learned how replacing
-long live, static credentials with temporary credentials helps improve security.
+long-lived, static credentials with temporary credentials helps improve security.
 Identity and access management is part of the [Secure
 systems](/well-architected-framework/secure-systems) pillar.