AWS IAM documentation change
Summary
Updated terminology to specify AWS STS federated user sessions, OIDC/SAML federated principals, and clarify STS-related operations. Added explicit references to AWS STS in multiple sections.
Security assessment
The changes improve clarity about AWS Security Token Service (STS) operations and federation methods (OIDC/SAML), which helps users configure permissions more accurately. While this enhances security documentation by reducing ambiguity, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.md b/IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.md index 4aec82f08..512433582 100644 --- a//IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.md +++ b//IAM/latest/UserGuide/id_credentials_temp_control-access_enable-create.md @@ -7 +7 @@ -By default, IAM users do not have permission to create temporary security credentials for federated users and roles. You must use a policy to provide your users with these permissions. Although you can grant permissions directly to a user, we strongly recommend that you grant permissions to a group. This makes management of the permissions much easier. When someone no longer needs to perform the tasks associated with the permissions, you simply remove them from the group. If someone else needs to perform that task, add them to the group to grant the permissions. +By default, IAM users do not have permission to create temporary security credentials for AWS STS federated user sessions and roles. You must use a policy to provide your users with these permissions. Although you can grant permissions directly to a user, we strongly recommend that you grant permissions to a group. This makes management of the permissions much easier. When someone no longer needs to perform the tasks associated with the permissions, you simply remove them from the group. If someone else needs to perform that task, add them to the group to grant the permissions. @@ -9 +9 @@ By default, IAM users do not have permission to create temporary security creden -To grant an IAM group permission to create temporary security credentials for federated users or roles, you attach a policy that grants one or both of the following privileges: +To grant an IAM group permission to create temporary security credentials for AWS STS federated user sessions or roles, you attach a policy that grants one or both of the following privileges: @@ -11 +11 @@ To grant an IAM group permission to create temporary security credentials for fe - * For federated users to access an IAM role, grant access to AWS STS `AssumeRole`. + * For OIDC and SAML federated principals to access an IAM role, grant access to AWS STS `AssumeRole`. @@ -13 +13 @@ To grant an IAM group permission to create temporary security credentials for fe - * For federated users that don't need a role, grant access to AWS STS `GetFederationToken`. + * For AWS STS federated users that don't need a role, grant access to AWS STS `GetFederationToken`. @@ -52 +52 @@ The following example policy grants permission to access `GetFederationToken`. -When you give IAM users permission to create temporary security credentials for federated users with `GetFederationToken`, be aware that this permits those users to delegate their own permissions. For more information about delegating permissions across IAM users and AWS accounts, see [Examples of policies for delegating access](./id_roles_create_policy-examples.html). For more information about controlling permissions in temporary security credentials, see [Permissions for temporary security credentials](./id_credentials_temp_control-access.html). +When you give IAM users permission to create temporary security credentials for AWS STS federated users with `GetFederationToken`, be aware that this permits those users to delegate their own permissions. For more information about delegating permissions across IAM users and AWS accounts, see [Examples of policies for delegating access](./id_roles_create_policy-examples.html). For more information about controlling permissions in temporary security credentials, see [Permissions for temporary security credentials](./id_credentials_temp_control-access.html). @@ -56 +56 @@ When you give IAM users permission to create temporary security credentials for -When you let an IAM user call `GetFederationToken`, it is a best practice to restrict the permissions that the IAM user can delegate. For example, the following policy shows how to let an IAM user create temporary security credentials only for federated users whose names start with _Manager_. +When you let an IAM user call `GetFederationToken`, it is a best practice to restrict the permissions that the IAM user can delegate. For example, the following policy shows how to let an IAM user create temporary security credentials only for AWS STS federated users whose names start with _Manager_.