Merge pull request #289 from awslabs/docs/update-terminology

Updated docs with new role/policy nomenclature

README.md

@@ -192,17 +192,17 @@ If the config-helper doesn't provide the level of customization you need for you
 | WEBSITE_BUCKET_NAME                            |                                                                                                                                                                    S3 bucket used to store the static MLSpace website                                                                                                                                                                    |                   `mlspace-website` |
 | MLSPACE_LIFECYCLE_CONFIG_NAME                  |                                                                                                                             Name of the default licycle config that should be used with MLSpace notebooks (will be generated as part of the CDK deployment)                                                                                                                              | `mlspace-notebook-lifecycle-config` |
 | NOTEBOOK_PARAMETERS_FILE_NAME                  |                                                                                                                                               Filename of the default notebook parameters that is generated as part of the CDK deployment                                                                                                                                                |                   `mlspace-website` |
-| PERMISSIONS_BOUNDARY_POLICY_NAME               |                                                                                                      Name of the managed policy used as a permissions boundary for dynamically created MLSpace roles. If this is not set the default permissions boundary will be created and used                                                                                                       |                                   - |
+| PERMISSIONS_BOUNDARY_POLICY_NAME               |                                                                                                      Name of the managed policy used as a permissions boundary for Secure User Scoped Roles. If this is not set the default permissions boundary will be created and used                                                                                                       |                                   - |
 | EXISTING_KMS_MASTER_KEY_ARN                    |                            ARN of existing KMS key to use with MLSpace. This key should allow the roles associated with the `NOTEBOOK_ROLE_ARN`, `APP_ROLE_ARN`, and `SYSTEM_ROLE_ARN` usage of the key. This value takes precedence over `KEY_MANAGER_ROLE_NAME` if both are set. If this property is set you _do not_ need to set `KEY_MANAGER_ROLE_NAME`.                             |                                   - |
 | SYSTEM_TAG                                     |                                                                                                                                       Tag which will be applied to all MLSpace resources created with the AWS account to which MLSpace is deployed                                                                                                                                       |                           `MLSpace` |
-| IAM_RESOURCE_PREFIX                            |                                                                                                                                             Value preprended to MLSpace dynamic roles and policies when `MANAGE_IAM_ROLES` is set to `true`                                                                                                                                              |                           `MLSpace` |
-| MANAGE_IAM_ROLES                               |                                                                                                                                    This setting determines whether or not MLSpace will dynamically create unique roles per project/user combinations.                                                                                                                                    |                              `true` |
+| IAM_RESOURCE_PREFIX                            |                                                                                                                                             Value preprended to MLSpace Secure User Scoped Roles and policies when `MANAGE_IAM_ROLES` is set to `true`                                                                                                                                              |                           `MLSpace` |
+| MANAGE_IAM_ROLES                               |                                                                                                                                    This setting determines whether or not MLSpace will utilize unique roles per project/user combinations                                                                                                                                    |                              `true` |
 | NOTIFICATION_DISTRO                            |                                                                                                                                                            Optional email distribution list which will be notified when <TBD>                                                                                                                                                            |                                   - |
 | EXISTING_VPC_NAME                              |                                                                                                                                 If MLSpace is being deployed into an existing VPC this should be the name of that VPC (must also set `EXISTING_VPC_ID`)                                                                                                                                  |                                   - |
 | EXISTING_VPC_ID                                |                                                                                                                                 If MLSpace is being deployed into an existing VPC this should be the id of that VPC (must also set `EXISTING_VPC_NAME`)                                                                                                                                  |                                   - |
 | EXISTING_VPC_DEFAULT_SECURITY_GROUP            |                                                                                                                                         If MLSpace is being deployed into an existing VPC this should be the default security group of that VPC                                                                                                                                          |                                   - |
 | APP_ROLE_ARN                                   |                                                                                                         Arn of an existing IAM role to use for executing the MLSpace lambdas. This value must be set to an existing role because the default CDK deployment will not create one.                                                                                                         |                                   - |
-| NOTEBOOK_ROLE_ARN                              |                                             Arn of an existing IAM role to associate with all notebooks created in MLSpace. If using dynamic roles based on project/user combinations the specific combination role will be used instead. This value must be set to an existing role because the default CDK deployment will not create one.                                             |                                   - |
+| NOTEBOOK_ROLE_ARN                              |                                             Arn of an existing IAM role to associate with all notebooks created in MLSpace. If using Secure User Scoped Roles based on project/user combinations the specific combination role will be used instead. This value must be set to an existing role because the default CDK deployment will not create one.                                             |                                   - |
 | SYSTEM_ROLE_ARN                                | Arn of an existing IAM role to use for executing the MLSpace system lambdas. System lambdas are responsible for maintaining the MLSpace system by cleaning up resources when a project is suspended or deleted, when a user is suspended, or when services are activated/deactivated. This value must be set to an existing role because the default CDK deployment will not create one. |                                   - |
 | ENDPOINT_CONFIG_INSTANCE_CONSTRAINT_POLICY_ARN |                                                                                                                                  ARN for policy constraining the instance size that can be used when creating Endpoint configurations from a notebook.                                                                                                                                   |                                   - |
 | JOB_INSTANCE_CONSTRAINT_POLICY_ARN             |                                                                                                                                ARN for policy constraining the instance size that can be used when creating HPO/Training/Transform jobs from a notebook.                                                                                                                                 |                                   - |