AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-05-13 · Documentation low

File: singlesignon/latest/userguide/addusers.md

Summary

Added AWS CLI examples and documentation for creating users via CLI/API, including notes about password setup requirements for API/CLI-created users

Security assessment

The change adds documentation about password management processes for API/CLI-created users, emphasizing the need for email verification or manual password sharing. While this relates to security practices, there is no evidence of addressing a specific vulnerability.

Diff

diff --git a/singlesignon/latest/userguide/addusers.md b/singlesignon/latest/userguide/addusers.md
index 111fc69a3..905876d6c 100644
--- a//singlesignon/latest/userguide/addusers.md
+++ b//singlesignon/latest/userguide/addusers.md
@@ -7 +7,4 @@
-Users and groups that you create in your Identity Center directory are available in IAM Identity Center only. Use the following procedure to add users to your Identity Center directory using the IAM Identity Center console. Alternatively, you can call the AWS API operation [CreateUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) to add users.
+Users and groups that you create in your Identity Center directory are available in IAM Identity Center only. Use the following procedure to add users to your Identity Center directory. Alternatively, you can call the AWS API operation [CreateUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) to add users.
+
+Console
+    
@@ -21 +24 @@ Users and groups that you create in your Identity Center directory are available
-      1. **Send an email to this user with password setup instructions.** – This option automatically sends the user an email addressed from Amazon Web Services, with the subject line **Invitation to join AWS IAM Identity Center**. The email invites the user on behalf of your company to access the IAM Identity Center AWS access portal, and registers a password. The email invitation will expire in seven days. If this happens, you can resend the email by choosing **Reset password** , and then choosing **Send an email to the user with instructions for resetting the password**. Before the user accepts the invitation, you will see **Send email verification link** , which is meant to verify their email address. However, this step is optional and will disappear after the user accepts the invitation and registers a password.
+      1. **Send an email to this user with password setup instructions** – This option automatically sends the user an email addressed from Amazon Web Services, with the subject line **Invitation to join AWS IAM Identity Center**. The email invites the user on behalf of your company to access the IAM Identity Center AWS access portal, and registers a password. The email invitation will expire in seven days. If this happens, you can resend the email by choosing **Reset password** , and then choosing **Send an email to the user with instructions for resetting the password**. Before the user accepts the invitation, you will see **Send email verification link** , which is meant to verify their email address. However, this step is optional and will disappear after the user accepts the invitation and registers a password.
@@ -29 +32 @@ All emails sent by the IAM Identity Center service will come from either the add
-      2. **Generate a one-time password that you can share with this user.** – This option provides you with the AWS access portal URL and password details that you can manually send to the user from your email address. The user will need to verify their email address. You can initiate the process by choosing **Send email verification link**. The email verification link will expire in seven days. If this happens, you can resend the email verification link by choosing **Reset password** , and then choosing **Generate a one-time password and share the password with the user**.
+      2. **Generate a one-time password that you can share with this user** – This option provides you with the AWS access portal URL and password details that you can manually send to the user from your email address. The user will need to verify their email address. You can initiate the process by choosing **Send email verification link**. The email verification link will expire in seven days. If this happens, you can resend the email verification link by choosing **Reset password** , and then choosing **Generate a one-time password and share the password with the user**.
@@ -53,0 +57,27 @@ All emails sent by the IAM Identity Center service will come from either the add
+AWS CLI
+    
+
+###### To add a user
+
+The following `create-user` command creates a new user in your Identity Center directory. 
+    
+    
+    aws identitystore create-user \
+        --identity-store-id d-1234567890 \
+        --user-name johndoe \
+        --name "GivenName=John,FamilyName=Doe" \
+        --display-name "John Doe" \
+        --emails "Type=work,[email protected]"
+
+Output:
+    
+    
+    {
+        "UserId": "1234567890-abcdef",
+        "IdentityStoreId": "d-1234567890"
+    }
+
+###### Note
+
+When you create users with the `create-user` CLI command or the [CreateUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) API operation, the users don't have passwords. You can update the settings in IAM Identity Center to send these users a verification email after their first attempt to sign on so they can set up a password. If you don't enable this setting, you must generate a one-time password and share it with the user. For more information, see [Email one-time password to users created with API or CLI](./userswithoutpwd.html).
+