first pr review

Author: cjobermaier

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/centralize-identity-management.mdx

@@ -5,15 +5,9 @@ description: Centralize identity management to manage access and improve securit
 
 # Centralize identity management
 
-Designing and planning policies to manage access is one part of a complete identity
-and access management strategy. Another key part of that strategy is to
-centralize identity management so you can enforce those policies effectively.
+Designing and planning policies to manage access is part of a complete identity and access management strategy. A key part of that strategy is to centralize identity management, allowing you to enforce those policies effectively.
 
-There are several ways to grant access to systems. Most systems have built in
-identity solutions that allow you to create local users and groups. Those users
-and groups only have access to that specific system. While this approach may
-seem like a secure approach, it does not scale well and may introduce more
-security risks than centralizing identity management. 
+There are several ways to grant access to systems. Most systems have built-in identity solutions that allow you to create local users and groups. Those users and groups only have access to that specific system. While this approach may seem secure, it does not scale well and may introduce more security risks than centralizing identity management.
 
 ## What is centralized identity management
 
@@ -25,9 +19,7 @@ integrate the identity provider with other systems and authorize access for thos
 users. Each user has a single username and password, but can access the systems
 required to perform their job.
 
-Compare this to having a local user on your laptop. You can log into the laptop
-with the local user, but that username and password do not provide access to
-your email, or other systems.
+Compare this to having a local user on your laptop. You can log in to the laptop with the local user, but that username and password do not provide access to your email or other systems.
 
 ## Why centralize identity management
 
@@ -73,6 +65,6 @@ identity and access management program.
 - [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
 - [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
 
-In this section of **Identity and access management** you learned the benefits
+In this section of Identity and access management you learned the benefits
 of centralizing identity management. Identity and access management is part of the
 [Secure systems](/well-architected-framework/secure-systems) pillar.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/create-permissions-guardrails.mdx

@@ -5,7 +5,7 @@ description: Write effective identity and access management (IAM) policies that
 
 # Create permissions and guardrails
 
-Now that you have defined your access requirements, you can begin writing
+Once you have defined your access requirements, you can begin writing
 policies that enforce permissions guardrails by using [least
 privilege](/well-architected-framework/secure-systems/identity-access-management/grant-least-privilege)
 policies.
@@ -23,12 +23,9 @@ Permissions are the specific actions that users, applications, or systems can
 take on resources. Permissions are typically defined in policies and used to
 control access to resources in a system.
 
-You can grant or deny permissions based on a variety of factors, including
-the user's role, group membership, the resource they are attempting to access,
-and the context of the access request. For example, a user may have permission
-to read data from a database, but not to write data to the database.
+You can grant or deny permissions based on various factors, including the user's role, group membership, the resources they access, and the context of the access request. For example, a user may have permission to read data from a database but not to write data to it.
 
-The following is an example of a database permission that follows least privilege:
+The following is an example of a database permission and AWS S3 bucket policy that follows least privilege:
 
 <CodeBlockConfig hideClipboard>
 
@@ -41,6 +38,20 @@ GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_user;
 The PostgreSQL role `readonly_user` with this permission can select data from
 tables, but not write or modify data.
 
+This AWS IAM policy allows read-only access to download files from the "company-reports" S3 bucket.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": ["s3:GetObject"],
+            "Resource": "arn:aws:s3:::company-reports/*"
+        }
+        ]
+}
+
 ## Define permissions as code
 
 Where possible, define your permissions in policies as code. Defining

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/define-access-requirements.mdx

@@ -5,11 +5,7 @@ description: Identify and collect requirements to help you identify access requi
 
 # Define access requirements
 
-Defining access requirements for your organization is an important step in
-creating secure systems. Identifying what requirements you need to implement can
-seem overwhelming. There are steps you can take to simplify identifying which
-requirements you need, and collect the necessary documentation to implement the
-access requirements.
+Defining access requirements for your organization is an important step in creating secure systems. Identifying what requirements you need to implement can seem overwhelming. There are steps you can take to simplify identifying the requirements you need and collecting the necessary documentation to implement the access requirements.
 
 ## What are access requirements
 
@@ -31,9 +27,7 @@ for your systems and teams.
 
 ## How to define access requirements
 
-Start with identifying the regulations and standards that apply to your
-organization from both an industry and geographic perspective. These regulations
-often map to specific security practices such as [NIST SP 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) for access
+Start by identifying the regulations and standards that apply to your organization from both an industry and geographic perspective. These regulations often align with specific security practices, such as [NIST SP 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) for access
 control.
 
 Once you have identified and collected the requirements that apply to your
@@ -42,10 +36,10 @@ specific access controls to your systems and teams. Documenting these
 requirements helps you ensure that you are meeting the necessary regulations and
 standards.
 
-You should also create a team responsible for staying up to date on changes to
+You should also designate a group responsible for staying up-to-date on changes to
 regulations and standards that may affect your access requirements. When
 regulations, standards, or best practices change, you need to update your access
-requirements accordingly. The team responsible for this evangelizes the need for
+requirements accordingly. The group responsible for this evangelizes the need for
 strong security practices across your organization.
 
 Documenting and maintaining your access requirements helps you ensure that you
@@ -86,7 +80,7 @@ identity and access management program.
 - [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
 - [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
 
-In this section of **Identity and access management**, you learned the importance
+In this section of Identity and access management, you learned the importance
 of identifying and collecting access requirements from common sources such as
 industry and regulatory standards. Identity and access management is part of the
 [Secure systems](/well-architected-framework/secure-systems) pillar.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/grant-least-privilege.mdx

@@ -5,7 +5,7 @@ description: Write identity and access management (IAM) policies that follow the
 
 # Grant least privilege
 
-Writing policies is one part of a complete identity and access management
+Writing policies is part of a complete identity and access management
 strategy. Policies should follow the principle of least privilege. 
 
 Once you have identified and collected security requirements to aid in [defining
@@ -39,11 +39,7 @@ While most regulations do not have explicit requirements for least privilege,
 they do require controls that show you have a strong identity and access
 management program.
 
-Consider conventional virtual private network (VPN) solutions; a user connects to
-the VPN and has access to the entire network. If that user’s credentials are
-compromised, an attacker can access everything on the network. A VPN is
-generally unable to follow least privilege because it provides broad access to
-the network.
+Consider conventional virtual private network (VPN) solutions, where a user connects to the VPN and gains access to the entire network. If a user’s credentials are compromised, an attacker can access all data on the network. A VPN is generally unable to follow the principle of least privilege because it provides broad access to the network.
 
 In contrast, a zero trust model with least privilege ensures that users
 have access to the specific resources they need. If a user’s credentials become
@@ -55,10 +51,9 @@ and used that information to write documentation that follows least privilege.
 Some examples of documentation at this stage include:
 
 - Software engineers do not have access to production.
-- Site reliability engineers have access to production, but not on
-  a permanent basis.
+- Site reliability engineers have access to production, but not permanently.
 - Access to production requires approval and multi-factor authentication (MFA)
-- Logging enabled and monitored for access to production.
+- Logging is enabled and monitored for access to production.
 - Centralized authentication and authorization for all services.
 
 HashiCorp tools and services like [Vault](/vault/tutorials/get-started) and
@@ -93,7 +88,7 @@ identity and access management program.
 - [Use dynamic credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials)
 - [Manage access lifecycle](/well-architected-framework/secure-systems/identity-access-management/manage-access-lifecycle)
 
-In this section of **Identity and access management**, you learned the importance
+In this section of Identity and access management, you learned the importance
 of using least privilege in your policies governing access requirements.
 Identity and access management is part of the [Secure
 systems](/well-architected-framework/secure-systems) pillar.

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/implement-strong-sign-in-workflows.mdx

@@ -12,12 +12,7 @@ breaches.
 
 ## What are strong sign-in workflows
 
-Strong sign-in workflows involve a combination of techniques and technologies to
-verify the identity of users before granting access to systems. Strong sign-in
-workflows typically consist of **something you know** - such as a password, and
-**something you have** - like a physical key. Strong sign-in workflows
-include multi-factor authentication (MFA), biometric authentication, and
-adaptive authentication.
+Strong sign-in workflows involve a combination of techniques and technologies to verify a user's identity before granting access to systems. Strong sign-in workflows typically consist of **something you know** - such as a password, and **something you have** - like a physical key. Strong sign-in workflows include multi-factor authentication (MFA), biometric authentication, and adaptive authentication.
 
 <VideoEmbed url="https://www.youtube.com/watch?v=L3alw3iXaio"/>
 
@@ -30,12 +25,9 @@ should not have access to. It does not, however, ensure that unauthorized users
 have not improperly gained access to credentials that allow authentication to
 those systems or data.
 
-When you implement strong sign-in workflows, you add another layer of security
-by validating the identity of users before granting access. When you combine
-strong-sign in workflows with [centralized identity
+When you implement strong sign-in workflows, you add another layer of security by validating the identity of users before granting access. When you combine strong sign-in workflows with [centralized identity
 management](/secure-systems/identity-access-management/centralize-identity-management),
-you have an authentication model that allows you to ensure systems are
-being access by authorized users.
+you have an authentication model that ensures authorized users have access to systems.
 
 HashiCorp tools and services like the HashiCorp Cloud Platform, Vault, and
 HCP Terraform support both centralized identity management and strong sign-in

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/manage-access-lifecycle.mdx

@@ -13,24 +13,13 @@ environment and reduces the risk of unauthorized access.
 
 ## What is access lifecycle management
 
-Access lifecycle management is the process of managing user accounts and their
-access permissions throughout their lifecycle, from creation to deprovisioning.
-This includes onboarding new users, modifying access as roles change, and
-removing access when it is no longer needed.
+Access lifecycle management is the process of managing user accounts and their access permissions throughout their lifecycle, from creation to deprovisioning. The management includes onboarding new users, modifying access as roles change, and removing access when it is no longer needed.
 
 ## Why manage access lifecycle
 
-Failing to manage identity and access for users and services can lead to
-incidents, whether malicious or accidental. For example, if a user leaves the
-organization or changes roles, and their account is not deprovisioned, they may
-still have access to systems and data they are not authorized to access.
-
-A publishing company in the 2000's let go of one of their system
-administrators, but failed to deprovision their account in an email system that
-was not centrally managed. The former employee logged in, and forwarded
-thousands of spam emails to employees, causing a significant disruption
-to their day. By properly managing accounts from creation, through
-deletion, you can avoid incidents caused by unauthorized access.
+Failing to manage identity and access for users and services can lead to incidents, whether malicious or accidental. For example, if a user leaves the organization or changes roles and their account is not deprovisioned, they may still have access to systems and data to which they are not authorized.
+
+A publishing company in the 2000s let go of one of its system administrators but failed to deprovision their account in an email system that they had not securely managed. The former employee logged in and forwarded thousands of spam emails to employees, causing a significant disruption to their day. By properly managing accounts from creation through deletion, you can avoid incidents caused by unauthorized access.
 
 By [centralizing identity
 management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management),

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/use-dynamic-credentials.mdx

@@ -5,16 +5,11 @@ description: Use dynamic credentials to replace long lived accounts that are not
 
 # Use dynamic credentials
 
-Strong identity and access management practices are critical to building a secure
-environment. While some credentials need to always be available, some
-credentials can be dynamic and short-lived, reducing the risk of exposure while
-increasing your security posture.
+Strong identity and access management practices are critical to building a secure environment. While some credentials must always be available, others can be dynamic and short-lived, reducing the risk of exposure while enhancing your security posture.
 
 ## What are dynamic credentials
 
-Dynamic credentials are temporary - short-lived credentials, generated on-demand
-and automatically expire after a specified period. They are typically used in
-scenarios where long-lived credentials are not necessary or pose a security risk.
+Dynamic credentials are temporary, short-lived credentials generated on demand and automatically expire after a specified period. The credentials are typically used in scenarios where long-lived credentials are not necessary or pose a security risk.
 
 <VideoEmbed url="https://www.youtube.com/watch?v=1YNDSCcGbcQ"/>
 
@@ -25,11 +20,7 @@ and users, allowing them to authenticate without exposing their long-term creden
 This approach minimizes the attack surface and reduces the likelihood of
 credential theft or misuse.
 
-When a service needs to connect to another service such as a database, it
-requires some method to authenticate. Traditionally, this might be a username
-and password or an API token. When these credentials are available for a long
-period of time, there is a greater potential for those credentials to become
-compromised.
+When a service needs to connect to another service, such as a database, it requires some method to authenticate. Traditionally, this might be a username and password or an API token. When these credentials are available for an extended period, there is a greater potential for them to become compromised.
 
 <VideoEmbed url="https://www.youtube.com/watch?v=E9XDfOVNN2U"/>