Remove this

Author: jonathanfrappier

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/centralize-identity-management.mdx

@@ -11,9 +11,9 @@ identity management, allowing you to enforce those policies effectively.
 
 There are several ways to grant access to systems. Most systems have built-in
 identity solutions that allow you to create local users and groups. Those users
-and groups only have access to that specific system. While this approach may
-seem secure, it does not scale well and may introduce more security risks than
-centralizing identity management.
+and groups only have access to that specific system. While isolated identity
+management may seem secure, it does not scale well and may introduce more
+security risks than centralizing identity management.
 
 ## What is centralized identity management
 
@@ -25,9 +25,9 @@ integrate the identity provider with other systems and authorize access for thos
 users. Each user has a single username and password, but can access the systems
 required to perform their job.
 
-Compare this to having a local user on your laptop. You can log in to the laptop
-with the local user, but that username and password do not provide access to
-your email or other systems.
+Having individual user accounts on multiple platforms is similar to having a
+local user on your laptop. You can log in to the laptop with the local user, but
+that username and password do not provide access to your email or other systems.
 
 ## Why centralize identity management
 
@@ -37,7 +37,7 @@ authentication (MFA), password complexity, and rotation policies.
 
 From an end user perspective, centralizing identity management provides a
 single sign-on (SSO) experience, allowing users to access the systems they need
-with a single set of credentials. This approach reduces the risk of password
+with a single set of credentials. Using SSO reduces the risk of password
 fatigue and improves security by reducing the number of passwords that users
 need to remember.
 

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/create-permissions-guardrails.mdx

@@ -12,7 +12,7 @@ policies.
 
 Creating policies and enforcing guardrails is the process of translating
 requirements into policies that define what users, applications, and systems can
-do. This process involves converting the requirements for each
+do. Writing effective permissions involves converting the requirements for each
 role or function within your organization when you [defined your access
 requirements](/well-architected-framework/secure-systems/identity-access-management/define-access-requirements)
 into policies for your systems.
@@ -39,10 +39,11 @@ GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_user;
 
 </CodeBlockConfig>
 
-The PostgreSQL role `readonly_user` with this permission can select data from
+The PostgreSQL role `readonly_user` with the `SELECT` permission can select data from
 tables, but not write or modify data.
 
-This AWS IAM policy allows read-only access to download files from the "company-reports" S3 bucket.
+An example AWS IAM policy that follows least privilege allows read-only access
+to download files from the "company-reports" S3 bucket.
 
 ```json
 {
@@ -81,9 +82,9 @@ like Active Directory may require scripting the policies in other languages like
 PowerShell to create Group Policy Objects (GPOs).
 
 Terraform helps you manage your policies for supported tools and services,
-allowing you to define, update, and enforce policies as code. This approach
-ensures that your policies are consistent, auditable, and can be version
-controlled.
+allowing you to define, update, and enforce policies as code. Using automation
+to manage policies ensures that your policies are consistent, auditable, and can
+be version controlled.
 
 HashiCorp resources:
 

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/define-access-requirements.mdx

@@ -45,8 +45,9 @@ standards.
 You should also designate a group responsible for staying up-to-date on changes to
 regulations and standards that may affect your access requirements. When
 regulations, standards, or best practices change, you need to update your access
-requirements accordingly. The group responsible for this evangelizes the need for
-strong security practices across your organization.
+requirements accordingly. The group responsible for staying up-to-date on
+regulation updates evangelizes the need for strong security practices across
+your organization.
 
 Documenting and maintaining your access requirements helps you ensure that you
 can meet audit requirements, such as those for SOC 2 or ISO 27001. Auditors will

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/grant-least-privilege.mdx

@@ -15,9 +15,9 @@ you can use that information to write identity and access management (IAM) polic
 ## What is least privilege
 
 Least privilege means that users, applications, and systems have the minimum
-permissions necessary to perform their required tasks. This approach reduces the risk
-of unauthorized access or actions that can compromise the security of your systems
-and [secure
+permissions necessary to perform their required tasks. Following the princple of
+least privilege reduces the risk of unauthorized access or actions that can
+compromise the security of your systems and [secure
 data](/well-architected-framework/secure-systems/data/classify-data).
 
 <VideoEmbed url="https://www.youtube.com/watch?v=PTqVlftfK_U"/>
@@ -50,9 +50,9 @@ have access to the specific resources they need. If a user’s credentials becom
 compromised using least privilege policies, the attacker can access just the
 limited set of resources defined in the policy, reducing the potential damage.
 
-At this stage, you should have identified and collected the access requirements,
+You have now identified and collected the access requirements,
 and used that information to write documentation that follows least privilege.
-Some examples of documentation at this stage include:
+Some examples of documentation to write include:
 
 - Software engineers do not have access to production.
 - Site reliability engineers have access to production, but not permanently.
@@ -75,8 +75,9 @@ services that users need access to, eliminating access to the entire network
 like conventional VPN solutions do.
 
 Terraform helps you manage the policies for Vault and Boundary, allowing you to
-define, update, and enforce policies as code. This approach ensures that your
-policies are consistent, auditable, and can be version controlled.
+define, update, and enforce policies as code. Using automation to manage
+policies ensures that your policies are consistent, auditable, and can be
+version controlled.
 
 HashiCorp resources:
 

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/manage-access-lifecycle.mdx

@@ -35,8 +35,8 @@ by unauthorized access.
 By [centralizing identity
 management](/well-architected-framework/secure-systems/identity-access-management/centralize-identity-management),
 you can streamline the access lifecycle for provisioning and deprovisioning
-users. This allows you to update group membership, reset passwords, or
-deprovision accounts when they are no longer needed.
+users. Centralizing identity management allows you to update group membership,
+reset passwords, or deprovision accounts when they are no longer needed.
 
 When you combine centralized identity management with [dynamic
 credentials](/well-architected-framework/secure-systems/identity-access-management/use-dynamic-credentials),

content/well-architected-framework/docs/docs/secure-systems/identity-access-management/use-dynamic-credentials.mdx

@@ -23,11 +23,11 @@ security risk.
 
 You can generate dynamic credentials for various services, applications,
 and users, allowing them to authenticate without exposing their long-term credentials.
-This approach minimizes the attack surface and reduces the likelihood of
+Using dynamic credentials minimizes the attack surface and reduces the likelihood of
 credential theft or misuse.
 
 When a service needs to connect to another service, such as a database, it
-requires some method to authenticate. Traditionally, this might be a username
+requires some method to authenticate. Traditionally, you might use a username
 and password or an API token. When these credentials are available for an
 extended period, there is a greater potential for them to become compromised.
 
@@ -50,8 +50,8 @@ having to share or expose the credentials.
 <VideoEmbed url="https://www.youtube.com/watch?v=69UFSAIDQgM"/>
 
 HCP Terraform integrates with Vault allowing Terraform to generate dynamic
-credentials during a deployment. This approach allows you to avoid managing
-credentials separately.
+credentials during a deployment. Configuring Terraform to request dynamic
+credentials from Vault allows you to avoid managing static credentials separately.
 
 HashiCorp resources: