AWS IAM documentation change
Summary
Updated AWS STS global endpoint documentation to reflect completed changes (changed future tense to present tense) and removed region deployment timeline/details
Security assessment
The changes document operational improvements to STS endpoint routing and remove outdated deployment timelines. While STS is security-related, there's no evidence of addressing a specific vulnerability. The updates focus on current state documentation rather than introducing new security features or mitigating risks.
Diff
diff --git a/IAM/latest/UserGuide/id_credentials_temp_region-endpoints.md b/IAM/latest/UserGuide/id_credentials_temp_region-endpoints.md index f09878436..ed76ba4d4 100644 --- a//IAM/latest/UserGuide/id_credentials_temp_region-endpoints.md +++ b//IAM/latest/UserGuide/id_credentials_temp_region-endpoints.md @@ -11 +11 @@ AWS STS global endpoint changesAWS CloudTrail and Regional endpoints -Starting in early 2025, in AWS Regions that are [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html), AWS STS requests to the global endpoint (`https://sts.amazonaws.com`) will be automatically served in the same AWS Region as your workloads. These changes will be gradually deployed by mid-2025. These changes will not be deployed to opt-in Regions. We recommend that you use the appropriate AWS STS regional endpoints. For more information, see AWS STS global endpoint changes. +AWS has made changes to the AWS Security Token Service (AWS STS) global endpoint (`https://sts.amazonaws.com`) in Regions [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) to enhance its resiliency and performance. AWS STS requests to the global endpoint are automatically served in the same AWS Region as your workloads. These changes will not be deployed to opt-in Regions. We recommend that you use the appropriate AWS STS regional endpoints. For more information, see AWS STS global endpoint changes. @@ -59 +59 @@ South America (São Paulo) | sts.sa-east-1.amazonaws.com | Yes | Yes -AWS is making changes to the AWS Security Token Service (AWS STS) global endpoint (`https://sts.amazonaws.com`) in Regions [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) to enhance its resiliency and performance. Previously, all requests to the AWS STS global endpoint were served by a single AWS Region, US East (N. Virginia). Starting in early 2025, requests to the AWS STS global endpoint will automatically be served in the same Region where the request originates, rather than the US East (N. Virginia) Region. These changes will be gradually deployed to all Regions that are enabled by default by mid-2025, starting with the Europe (Stockholm) Region. These changes will not be deployed to opt-in Regions. For more information about which Regions these changes have been deployed to, see AWS STS global endpoint changes deployed Regions. +AWS has made changes to the AWS Security Token Service (AWS STS) global endpoint (`https://sts.amazonaws.com`) in Regions [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) to enhance its resiliency and performance. Previously, all requests to the AWS STS global endpoint were served by a single AWS Region, US East (N. Virginia). Now in Regions [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html), requests to the AWS STS global endpoint are automatically served in the same Region where the request originates, rather than the US East (N. Virginia) Region. These changes will not be deployed to opt-in Regions. @@ -61 +61 @@ AWS is making changes to the AWS Security Token Service (AWS STS) global endpoin -With these changes, AWS STS will process your request based on the originating Region and DNS resolver used. Requests to the AWS STS global endpoint will be served in the same Region as your AWS deployed workload if the DNS request for the AWS STS global endpoint is handled by the Amazon DNS server in Regions that are enabled by default. However, requests to the AWS STS global endpoint will continue to be served in US East (N. Virginia) Region if your request originated from opt-in Regions or if your request was resolved using a DNS resolver other than the Amazon DNS server. For more information about Amazon DNS, see [ Amazon DNS server](https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html#AmazonDNS) in the _Amazon Virtual Private Cloud User Guide_. +With this change, AWS STS will process your request based on the originating Region and DNS resolver used. Requests to the AWS STS global endpoint are served in the same Region as your AWS deployed workload if the DNS request for the AWS STS global endpoint is handled by the Amazon DNS server in Regions that are enabled by default. Requests to the AWS STS global endpoint will continue to be served in US East (N. Virginia) Region if your request originated from opt-in Regions or if your request was resolved using a DNS resolver other than the Amazon DNS server. For more information about Amazon DNS, see [ Amazon DNS server](https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html#AmazonDNS) in the _Amazon Virtual Private Cloud User Guide_. @@ -63 +63 @@ With these changes, AWS STS will process your request based on the originating R -The following table shows how requests to the AWS STS global endpoint will be routed based on your DNS provider. +The following table shows how requests to the AWS STS global endpoint are routed based on your DNS provider. @@ -73 +73 @@ To ensure minimal disruption to your existing processes, AWS has implemented the - * AWS CloudTrail logs for requests made to the AWS STS global endpoint will be sent to the US East (N. Virginia) Region. CloudTrail logs for requests served by AWS STS Regional endpoints will continue to be logged to their respective Region in CloudTrail. + * AWS CloudTrail logs for requests made to the AWS STS global endpoint are sent to the US East (N. Virginia) Region. CloudTrail logs for requests served by AWS STS Regional endpoints will continue to be logged to their respective Region in CloudTrail. @@ -75 +75 @@ To ensure minimal disruption to your existing processes, AWS has implemented the - * CloudTrail logs for operations performed by the AWS STS global endpoint and Regional endpoints will have additional fields `endpointType` and `awsServingRegion` to indicate which endpoint and Region served the request. For CloudTrail log examples, see [Example AWS STS API event using the global endpoint in CloudTrail log file](./cloudtrail-integration.html#stscloudtrailexample-assumerole-sts-global-endpoint). + * CloudTrail logs for operations performed by the AWS STS global endpoint and Regional endpoints have additional fields `endpointType` and `awsServingRegion` to indicate which endpoint and Region served the request. For CloudTrail log examples, see [Example AWS STS API event using the global endpoint in CloudTrail log file](./cloudtrail-integration.html#stscloudtrailexample-assumerole-sts-global-endpoint). @@ -77 +77 @@ To ensure minimal disruption to your existing processes, AWS has implemented the - * Requests made to the AWS STS global endpoint will have a value of `us-east-1` for the `aws:RequestedRegion` condition key, regardless of which Region served the request. + * Requests made to the AWS STS global endpoint have a value of `us-east-1` for the `aws:RequestedRegion` condition key, regardless of which Region served the request. @@ -79 +79 @@ To ensure minimal disruption to your existing processes, AWS has implemented the - * Requests handled by the AWS STS global endpoint will not share a requests per second quota with Regional AWS STS endpoints. + * Requests handled by the AWS STS global endpoint do not share a requests per second quota with Regional AWS STS endpoints. @@ -86,27 +85,0 @@ If you have workloads in an opt-in Region and are still using the AWS STS global -### AWS STS global endpoint changes deployed Regions - -The AWS STS global endpoint changes described in the prior section will gradually be rolled out only to Regions enabled by default by mid-2025. These changes have been deployed to the following Regions enabled by default: - - * US East (Ohio) — `us-east-2` - - * US West (Oregon) — `us-west-2` - - * Asia Pacific (Mumbai) — `ap-south-1` - - * Asia Pacific (Osaka) — `ap-northeast-3` - - * Asia Pacific (Seoul) — `ap-northeast-2` - - * Asia Pacific (Tokyo) — `ap-northeast-1` - - * Europe (Frankfurt) — `eu-central-1` - - * Europe (Ireland) — `eu-west-1` - - * Europe (London) — `eu-west-2` - - * Europe (Stockholm) — `eu-north-1` - - - -