feat: add security checklist

Author: staceysalamon-aiven

docs/platform/concepts/application-users.md

@@ -8,56 +8,14 @@ An application user is a type of user that provides programmatic access to the A
 
 You must be an [organization admin](/docs/platform/concepts/permissions#organization-roles-and-permissions) to access this feature.
 
-## Application user permissions
-
 You [create and manage application users](/docs/platform/howto/manage-application-users)
 at the organization level and you
 [give them access to projects and services](/docs/platform/howto/manage-permissions)
 in the same way as organization users. You can also grant application users the
 organization admin role, giving them full access to your organization,
 its organizational units, projects, services, billing, and other settings.
 
-Unlike organization users, application users can't log in to the Aiven Console and the
-authentication policies don't apply to them.
-
-## Security best practices
-
-Because application users can have the same level of access to projects and services it's
-important to secure these accounts and their tokens to avoid abuse. The
-following are some suggested best practices for using Aiven application users.
-
-### Create dedicated application users for each application
-
-Try to create a different application user for each tool or application. For example, if
-you have an application that needs to connect to services in one of your projects and
-you're using Aiven Terraform Provider in the same project, create two application users. Use
-the description field for each user to clearly indicate what it's used for.
-
-This helps you manage the lifecycle of the users and ensure the access permissions are
-correct for each use case.
-
-### Restrict access to trusted networks
-
-Specify allowed IP address ranges for each token. This prevents tokens from being used
-outside of your trusted networks, reducing the risk of breaches. You can also specify
-these ranges in your organization's
-[authentication policy](/docs/platform/howto/set-authentication-policies), limiting
-all access to the Aiven Platform to these IP addresses, including
-through application tokens.
-
-### Keep tokens secure and rotate them regularly
-
-Make sure tokens are securely stored and only accessible by people who need them. Tokens
-should also be routinely [revoked](/docs/platform/howto/manage-application-users#revoke-a-token-for-an-application-user)
-and replaced with new tokens.
-
-### Delete unused users and tokens
-
-Regularly audit your list of application users to delete unused users. You can view a
-list of your organization's application users and the last time they were used in
-**Admin** > <ConsoleLabel name="Application users"/>. Click
-<ConsoleLabel name="actions"/> > <ConsoleLabel name="view app user profile"/>
-to see a user's tokens.
+Unlike organization users, application users can't log in to the Aiven Console.
 
-You can [delete unused users](/docs/platform/howto/manage-application-users#delete-an-application-user)
-and [revoke specific tokens](/docs/platform/howto/manage-application-users#revoke-a-token-for-an-application-user).
+Follow the [security best practices for application users]
+to keep these account secure.

docs/platform/concepts/orgs-units-projects.md

@@ -89,6 +89,11 @@ the project. The following are some examples of how customers organize their ser
 
 ## Best practices for organizations
 
+The following are recommendations for organizing your resources in the Aiven Platform
+using organizations, organizational units, and projects. Read the
+[security checklist](/docs/platform/reference/security-best-practices) for more
+information on best practices for securing your organization using Aiven features.
+
 ### Small organizations
 
 For smaller organizations that have a limited number of projects and services,

docs/platform/howto/list-identity-providers.md

@@ -1,11 +1,12 @@
 ---
-title: SAML identity providers and verified domains
+title: Identity providers and SAML authentication
 sidebar_label: Identity providers
 ---
 
 Set up single sign-on (SSO) access to Aiven through a Security Assertion Markup Language (SAML) compliant identity provider (IdP). This lets you centrally manage your users in your IdP while giving them a seamless login experience.
 
-Every IdP must be linked to a domain in Aiven. After you
+Every IdP must be linked to a domain in Aiven and you can link each verified domain to
+only one IdP.  After you
 [verify that you own a domain](/docs/platform/howto/manage-domains), the users in your
 organization become managed users, which provides a higher level of security for your
 organization by controlling things like
@@ -15,48 +16,13 @@ With a verified domain you can add an IdP. All users with an email address from
 the verified domain are automatically authenticated with the linked IdP. With
 IdP-initiated SSO enabled, users can log in to Aiven directly from the IdP.
 
-Aiven also supports System for Cross-domain Identity Management (SCIM) for Okta to automatically
-provision, update, and deactivate user identities from your IdP.
+Aiven also supports System for Cross-domain Identity Management (SCIM) for Okta to
+automatically provision, update, and deactivate user identities from your IdP.
 With automatic provisioning you don’t need to manually create organization users.
-
 When adding an IdP you link it to the verified domain
-and can set up SCIM at the same time.
-
-## Limitations
-
-You can link each verified domain to only one IdP. If you set up user provisioning with
+and can set up SCIM at the same time. If you set up user provisioning with
 SCIM, you should only make changes to user details in the IdP.
 
-## Security best practices
-
-It’s recommended to verify your domains in Aiven even if you don’t use SSO. When
-configuring an IdP it's best to enable the following SAML security settings:
-
-- **Require assertion to be signed**: Verifies assertions were issued by a trusted party
-  and have not been tampered with.
-- **Sign authorization request sent to IdP**: Ensures authenticity and integrity with a
-  digital signature.
-
-The [authentication policy](/docs/platform/howto/set-authentication-policies) for the
-organization is also an important component in securing access through an IdP. At a
-minimum, use these settings for your authentication policy:
-
-- Don't allow password authentication
-- Require log in with this organization's identity provider
-
-To limit access further, also consider these authentication policy settings:
-
-- **Don't allow third-party authentication**: This combined with the preceding password and
-  organization identity provider settings ensures that users only log in to the Console
-  with your chosen IdP.
-- **Don't allow users to create personal tokens**: This prevents users from accessing
-  organization resources through the API using a long-lived
-  [personal token](/docs/platform/concepts/authentication-tokens) they created.
-
-If you allow your users to create personal tokens, you can still make these more
-secure by enabling **Require users to be logged in with an allowed
-authentication method**. This means that users cannot access your organization's
-resources with a token they created when logged in with another organization's
-allowed authentication methods or a previously allowed method.
-This setting also gives you the flexibility to change the authentication policy at any
-time because tokens that are no longer compliant with the new policy cannot be used.
+See the [security checklist](/docs/platform/reference/security-best-practices#add-an-identity-provider)
+for best practices for configuring your identity providers and
+organization authentication policy.

docs/platform/howto/manage-application-users.md

@@ -16,7 +16,7 @@ to access this feature.
 
 :::important
  Application users can be a security risk if not carefully managed and monitored. Follow
- [best practices](/docs/platform/concepts/application-users#security-best-practices) for
+ [best practices](/docs/platform/reference/security-best-practices) for
  mitigating these risks.
 :::
 
@@ -72,6 +72,15 @@ More information on this resource and its configuration options are available in
 </TabItem>
 </Tabs>
 
+## View application users and tokens
+
+To view your organization's application users and the last time they
+were used:
+
+1. In your organization, click **Admin**.
+1. Click <ConsoleLabel name="Application users"/>.
+1. Click the name of an application user to view its profile, tokens, and groups.
+
 ## Revoke a token for an application user
 
 1.  Click **Admin** > <ConsoleLabel name="application users"/>.

docs/platform/howto/unsafe-passwords.md

@@ -2,6 +2,8 @@
 title: Change unsafe passwords
 ---
 
+import RelatedPages from "@site/src/components/RelatedPages";
+
 The Aiven Platform checks your email and password combination against a database of exposed credentials every time you log in and change your password.
 
 If Aiven detects an unsafe password,  your login is blocked until you
@@ -12,3 +14,7 @@ You don't need to do anything else, but Aiven recommends every user
 [enable two-factor authentication](/docs/platform/howto/user-2fa).
 Two-factor authentication also needs to be re-enabled after you
 reset or change your password.
+
+<RelatedPages/>
+
+* Get tips for creating secure passwords in the [security checklist](/docs/platform/reference/security-best-practices)