AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-13 · Documentation low

File: IAM/latest/UserGuide/id_credentials_sts-comparison.md

Summary

Updated terminology from 'federated user' to 'AWS STS federated user session' in session policy section, and changed 'SAML 2.0 federated users' to 'SAML 2.0 federated principals' in SSO section

Security assessment

Changes appear to be terminology clarifications rather than security fixes. The updates refine technical accuracy (specifying STS context for federated sessions and using 'principals' as a broader IAM term) but don't address vulnerabilities or introduce new security features.

Diff

diff --git a/IAM/latest/UserGuide/id_credentials_sts-comparison.md b/IAM/latest/UserGuide/id_credentials_sts-comparison.md
index 86ec9618b..fdf4a82fd 100644
--- a//IAM/latest/UserGuide/id_credentials_sts-comparison.md
+++ b//IAM/latest/UserGuide/id_credentials_sts-comparison.md
@@ -23 +23 @@ You can send AWS STS API calls either to a global endpoint or to one of the Regi
-² **Session policy support**. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see [Session policies](./access_policies.html#policies_session).
+² **Session policy support**. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or AWS STS federated user session. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see [Session policies](./access_policies.html#policies_session).
@@ -29 +29 @@ You can send AWS STS API calls either to a global endpoint or to one of the Regi
-⁵ **Single sign-on (SSO) to the console**. To support SSO, AWS lets you call a federation endpoint (`https://signin.aws.amazon.com/federation`) and pass temporary security credentials. The endpoint returns a token that you can use to construct a URL that signs a user directly into the console without requiring a password. For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](./id_roles_providers_enable-console-saml.html) and [ How to Enable Cross-Account Access to the AWS Management Console](https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console) in the AWS Security Blog. 
+⁵ **Single sign-on (SSO) to the console**. To support SSO, AWS lets you call a federation endpoint (`https://signin.aws.amazon.com/federation`) and pass temporary security credentials. The endpoint returns a token that you can use to construct a URL that signs a user directly into the console without requiring a password. For more information, see [Enabling SAML 2.0 federated princpals to access the AWS Management Console](./id_roles_providers_enable-console-saml.html) and [ How to Enable Cross-Account Access to the AWS Management Console](https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console) in the AWS Security Blog.