AWS IAM documentation change
Summary
Updated terminology from 'users' to 'principals' in SAML documentation and fixed typos
Security assessment
Changes are terminology updates (user->principal) and typo fixes without any security-specific context or vulnerability remediation mentioned. The updates improve clarity but don't directly relate to security features or issues.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_providers_saml.md b/IAM/latest/UserGuide/id_roles_providers_saml.md index 880e80ec1..73a875fa1 100644 --- a//IAM/latest/UserGuide/id_roles_providers_saml.md +++ b//IAM/latest/UserGuide/id_roles_providers_saml.md @@ -46 +46 @@ IAM federation supports these use cases: - * [Enabling SAML 2.0 federated users to access the AWS Management Console](./id_roles_providers_enable-console-saml.html) + * [Enabling SAML 2.0 federated princpals to access the AWS Management Console](./id_roles_providers_enable-console-saml.html) @@ -102 +102 @@ As defined by the [SAML V2.0 Metadata Interoperability Profile Version 1.0](http - 4. In IAM, you create one or more IAM roles. In the role's trust policy, you set the SAML provider as the principal, which establishes a trust relationship between your organization and AWS. The role's permission policy establishes what users from your organization are allowed to do in AWS. For more information, see [Create a role for a third-party identity provider (federation)](./id_roles_create_for-idp.html). + 4. In IAM, you create one or more IAM roles. In the role's trust policy, you set the SAML provider as the principal, which establishes a trust relationship between your organization and AWS. The role's permission policy establishes what users from your organization are allowed to do in AWS. For more information, see [Create a role for a third-party identity provider ](./id_roles_create_for-idp.html). @@ -110 +110 @@ SAML IDPs used in a role trust policy must be in the same account that the role -If your IdP enables SSO to the AWS console, then you can configure the maximum duration of the console sessions. For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](./id_roles_providers_enable-console-saml.html). +If your IdP enables SSO to the AWS console, then you can configure the maximum duration of the console sessions. For more information, see [Enabling SAML 2.0 federated princpals to access the AWS Management Console](./id_roles_providers_enable-console-saml.html). @@ -123 +123 @@ For more information, see [AssumeRoleWithSAML](https://docs.aws.amazon.com/STS/l -The roles that you create in IAM define what federated users from your organization are allowed to do in AWS. When you create the trust policy for the role, you specify the SAML provider that you created earlier as the `Principal`. You can additionally scope the trust policy with a `Condition` to allow only users that match certain SAML attributes to access the role. For example, you can specify that only users whose SAML affiliation is `staff` (as asserted by https://openidp.feide.no) are allowed to access the role, as illustrated by the following sample policy: +The roles that you create in IAM define what SAML federated principals from your organization are allowed to do in AWS. When you create the trust policy for the role, you specify the SAML provider that you created earlier as the `Principal`. You can additionally scope the trust policy with a `Condition` to allow only users that match certain SAML attributes to access the role. For example, you can specify that only users whose SAML affiliation is `staff` (as asserted by https://openidp.feide.no) are allowed to access the role, as illustrated by the following sample policy: @@ -175 +175 @@ To write policies that reference user-specific details as part of a resource nam -The combination of `NameQualifier` and `Subject` can be used to uniquely identify a federated user. The following pseudocode shows how this value is calculated. In this pseudocode `+` indicates concatenation, `SHA1` represents a function that produces a message digest using SHA-1, and `Base64` represents a function that produces Base-64 encoded version of the hash output. +The combination of `NameQualifier` and `Subject` can be used to uniquely identify a SAML federated principal. The following pseudocode shows how this value is calculated. In this pseudocode `+` indicates concatenation, `SHA1` represents a function that produces a message digest using SHA-1, and `Base64` represents a function that produces Base-64 encoded version of the hash output.