AWS IAM documentation change
Summary
Updated terminology from 'federated user' to 'AWS STS federated user principal' in session policy documentation
Security assessment
The changes clarify terminology around STS federated user principals but do not address any specific security vulnerability or weakness. This appears to be documentation precision improvement rather than security-related.
Diff
diff --git a/IAM/latest/UserGuide/access_policies.md b/IAM/latest/UserGuide/access_policies.md index b7c99d989..b4aed6176 100644 --- a//IAM/latest/UserGuide/access_policies.md +++ b//IAM/latest/UserGuide/access_policies.md @@ -83 +83 @@ Access control lists (ACLs) are service policies that allow you to control which -Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The permissions for a session are the intersection of the identity-based policies for the IAM entity (user or role) used to create the session and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. +Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or an AWS STS federated user principal. The permissions for a session are the intersection of the identity-based policies for the IAM entity (user or role) used to create the session and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow. @@ -87 +87 @@ You can create role session and pass session policies programmatically using the -When you create a federated user session, you use the access keys of the IAM user to programmatically call the `GetFederationToken` API operation. You must also pass session policies. The resulting session's permissions are the intersection of the identity-based policy and the session policy. For more information about creating a federated user session, see [Requesting credentials through a custom identity broker](./id_credentials_temp_request.html#api_getfederationtoken). +When you create an AWS STS federated user principal session, you use the access keys of the IAM user to programmatically call the `GetFederationToken` API operation. You must also pass session policies. The resulting session's permissions are the intersection of the identity-based policy and the session policy. For more information about creating a federated user session, see [Requesting credentials through a custom identity broker](./id_credentials_temp_request.html#api_getfederationtoken). @@ -138 +138 @@ The information in a statement is contained within a series of elements. - * **Principal** (Required in some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role. + * **Principal** (Required in some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or AWS STS federated user principal to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.