AWS IAM medium security documentation change
Summary
Corrected terminology (e.g., 'users' to 'SAML federated principal'), fixed a misreference to OIDC in SAML context, and updated user references to SAML-specific terms.
Security assessment
The correction of 'OIDC federated users' to 'SAML federated users' in step 9 prevents potential misconfiguration of permissions policies. A misconfigured policy due to incorrect terminology could lead to unintended access, making this a security-relevant documentation fix.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_create_for-idp_saml.md b/IAM/latest/UserGuide/id_roles_create_for-idp_saml.md index cd4b3d05d..aaafe3690 100644 --- a//IAM/latest/UserGuide/id_roles_create_for-idp_saml.md +++ b//IAM/latest/UserGuide/id_roles_create_for-idp_saml.md @@ -23 +23 @@ Before you can create a role for SAML 2.0 federation, you must first complete th - 2. Prepare the policies for the role that the SAML 2.0–authenticated users will assume. As with any role, a role for the SAML federation includes two policies. One is the role trust policy that specifies who can assume the role. The other is the IAM permissions policy that specifies the AWS actions and resources that the federated user is allowed or denied access to. + 2. Prepare the policies for the role that the SAML 2.0–authenticated users will assume. As with any role, a role for the SAML federation includes two policies. One is the role trust policy that specifies who can assume the role. The other is the IAM permissions policy that specifies the AWS actions and resources that the SAML federated principal is allowed or denied access to. @@ -96 +96 @@ The list includes the most commonly used SAML attributes. IAM supports additiona - 9. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy, or choose **Create policy** to open a new browser tab and create a new policy from scratch. For more information, see [Creating IAM policies](./access_policies_create-console.html#access_policies_create-start). After you create the policy, close that tab and return to your original tab. Select the checkbox next to the permissions policies that you want OIDC federated users to have. If you prefer, you can select no policies at this time, and then attach policies to the role later. By default, a role has no permissions. + 9. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy, or choose **Create policy** to open a new browser tab and create a new policy from scratch. For more information, see [Creating IAM policies](./access_policies_create-console.html#access_policies_create-start). After you create the policy, close that tab and return to your original tab. Select the checkbox next to the permissions policies that you want SAML federated users to have. If you prefer, you can select no policies at this time, and then attach policies to the role later. By default, a role has no permissions. @@ -119 +119 @@ Open the **Permissions boundary** section and choose **Use a permissions boundar -After you create the role, you complete the SAML trust by configuring your identity provider software with information about AWS. This information includes the roles that you want your federated users to use. This is referred to as configuring the relying party trust between your IdP and AWS. For more information, see [Configure your SAML 2.0 IdP with relying party trust and adding claims](./id_roles_providers_create_saml_relying-party.html). +After you create the role, you complete the SAML trust by configuring your identity provider software with information about AWS. This information includes the roles that you want your SAML federated users to use. This is referred to as configuring the relying party trust between your IdP and AWS. For more information, see [Configure your SAML 2.0 IdP with relying party trust and adding claims](./id_roles_providers_create_saml_relying-party.html).