AWS IAM documentation change
Summary
Clarified terminology by changing 'federated user' to 'federated user session' in session policy explanation
Security assessment
The change adds the word 'session' to clarify the temporary nature of federated user credentials. This is a documentation refinement without evidence of addressing a security vulnerability or weakness.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_use_switch-role-api.md b/IAM/latest/UserGuide/id_roles_use_switch-role-api.md index 0a5a18378..1c8b4c7ee 100644 --- a//IAM/latest/UserGuide/id_roles_use_switch-role-api.md +++ b//IAM/latest/UserGuide/id_roles_use_switch-role-api.md @@ -15 +15 @@ To assume a role, an application calls the AWS STS [`AssumeRole`](https://docs.a -When you call [`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html), you can optionally pass inline or managed [session policies](./access_policies.html#policies_session). Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary credential session for a role or federated user. You can pass a single JSON inline session policy document using the `Policy` parameter. You can use the `PolicyArns` parameter to specify up to 10 managed session policies. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies are useful when you need to give the role's temporary credentials to someone else. They can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy. To learn more about how AWS determines the effective permissions of a role, see [Policy evaluation logic](./reference_policies_evaluation-logic.html). +When you call [`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html), you can optionally pass inline or managed [session policies](./access_policies.html#policies_session). Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary credential session for a role or federated user session. You can pass a single JSON inline session policy document using the `Policy` parameter. You can use the `PolicyArns` parameter to specify up to 10 managed session policies. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies are useful when you need to give the role's temporary credentials to someone else. They can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy. To learn more about how AWS determines the effective permissions of a role, see [Policy evaluation logic](./reference_policies_evaluation-logic.html).