AWS Security ChangesHomeSearch

AWS verified-access medium security documentation change

Service: verified-access · 2025-05-25 · Security-related medium

File: verified-access/latest/ug/user-trust.md

Summary

Added session duration clarification for OIDC trust providers and fixed date formatting

Security assessment

The change introduces a security control by specifying that session duration is limited to 1 day or access token expiration (whichever is shorter) for OIDC trust providers. This directly impacts authentication security by reducing session lifetimes compared to the previous 7-day default.

Diff

diff --git a/verified-access/latest/ug/user-trust.md b/verified-access/latest/ug/user-trust.md
index 8afd10997..ef67267b0 100644
--- a//verified-access/latest/ug/user-trust.md
+++ b//verified-access/latest/ug/user-trust.md
@@ -103 +103,3 @@ The ID token claims from the OIDC trust provider are included in the `addition_u
-With trust providers created on or before February 24 2025, Verified Access does not use trust data from the `ID token` sent by the OIDC provider. Only trust data from the `UserInfo Endpoint` is evaluated against the policy.
+With trust providers created on or before February 24, 2025, Verified Access does not use trust data from the `ID token` sent by the OIDC provider. Only trust data from the `UserInfo Endpoint` is evaluated against the policy.
+
+The session duration for an OIDC trust provider is 1 day or the expiration time in the access token, whichever is shorter. With trust providers created before February 24, 2025, the session duration is 7 days.