AWS IAM documentation change
Summary
Updated terminology from 'federated user' to 'AWS STS federated user session' in session policy section, and changed 'SAML 2.0 federated users' to 'SAML 2.0 federated principals' in SSO section
Security assessment
Changes appear to be terminology clarifications rather than security fixes. The updates refine technical accuracy (specifying STS context for federated sessions and using 'principals' as a broader IAM term) but don't address vulnerabilities or introduce new security features.
Diff
diff --git a/IAM/latest/UserGuide/id_credentials_sts-comparison.md b/IAM/latest/UserGuide/id_credentials_sts-comparison.md index 86ec9618b..fdf4a82fd 100644 --- a//IAM/latest/UserGuide/id_credentials_sts-comparison.md +++ b//IAM/latest/UserGuide/id_credentials_sts-comparison.md @@ -23 +23 @@ You can send AWS STS API calls either to a global endpoint or to one of the Regi -² **Session policy support**. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see [Session policies](./access_policies.html#policies_session). +² **Session policy support**. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or AWS STS federated user session. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see [Session policies](./access_policies.html#policies_session). @@ -29 +29 @@ You can send AWS STS API calls either to a global endpoint or to one of the Regi -⁵ **Single sign-on (SSO) to the console**. To support SSO, AWS lets you call a federation endpoint (`https://signin.aws.amazon.com/federation`) and pass temporary security credentials. The endpoint returns a token that you can use to construct a URL that signs a user directly into the console without requiring a password. For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](./id_roles_providers_enable-console-saml.html) and [ How to Enable Cross-Account Access to the AWS Management Console](https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console) in the AWS Security Blog. +⁵ **Single sign-on (SSO) to the console**. To support SSO, AWS lets you call a federation endpoint (`https://signin.aws.amazon.com/federation`) and pass temporary security credentials. The endpoint returns a token that you can use to construct a URL that signs a user directly into the console without requiring a password. For more information, see [Enabling SAML 2.0 federated princpals to access the AWS Management Console](./id_roles_providers_enable-console-saml.html) and [ How to Enable Cross-Account Access to the AWS Management Console](https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console) in the AWS Security Blog.