AWS IAM documentation change
Summary
Updated terminology from 'federated users' to 'federated principals' and added specificity about SAML/OIDC federation. Clarified trust policy applies to AWS STS federated user principals.
Security assessment
The changes improve accuracy of security documentation by using precise IAM terminology (principals vs users) and specifying supported federation protocols (SAML/OIDC). While this enhances clarity for secure configuration, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/introduction_access-management.md b/IAM/latest/UserGuide/introduction_access-management.md index 3d3beef0c..5eb27e76d 100644 --- a//IAM/latest/UserGuide/introduction_access-management.md +++ b//IAM/latest/UserGuide/introduction_access-management.md @@ -5 +5 @@ -Policies and accountsPolicies and usersPolicies and IAM groupsFederated users and rolesIdentity-based and resource-based policies +Policies and accountsPolicies and usersPolicies and IAM groupsFederated user sessions and rolesIdentity-based and resource-based policies @@ -41 +41 @@ IAM users or IAM groups can have multiple policies attached to them that grant d -## Federated users and roles +## Federated user sessions and roles @@ -43 +43 @@ IAM users or IAM groups can have multiple policies attached to them that grant d -Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a _role_ and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see [Create a role for a third-party identity provider (federation)](./id_roles_create_for-idp.html). +Federated principals don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated principals, you can create an entity referred to as a _role_ and define permissions for the role. When a SAMl or OIDC federated principal signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see [Create a role for a third-party identity provider ](./id_roles_create_for-idp.html). @@ -64 +64 @@ Identity-based policies are permissions policies that you attach to an IAM ident -The IAM service supports one type of resource-based policy called a role _trust policy_ , which you attach to an IAM role. Because an IAM role is both an identity and a resource that supports resource-based policies, you have to attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. To learn how IAM roles are different from other resource-based policies, see [Cross account resource access in IAM](./access_policies-cross-account-resource-access.html). +The IAM service supports one type of resource-based policy called a role _trust policy_ , which you attach to an IAM role. Because an IAM role is both an identity and a resource that supports resource-based policies, you have to attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and AWS STS federated user principals) can assume the role. To learn how IAM roles are different from other resource-based policies, see [Cross account resource access in IAM](./access_policies-cross-account-resource-access.html).