AWS IAM documentation change
Summary
Updated terminology from 'federated users' to 'federated principals', added OIDC/SAML references, and clarified credential types for federated access
Security assessment
Changes emphasize temporary credential usage and federation best practices, but do not address a specific security vulnerability. The updates improve accuracy of security documentation by clarifying federated identity types and credential management.
Diff
diff --git a/IAM/latest/UserGuide/introduction_identity-management.md b/IAM/latest/UserGuide/introduction_identity-management.md index 626b53461..b943b8e2d 100644 --- a//IAM/latest/UserGuide/introduction_identity-management.md +++ b//IAM/latest/UserGuide/introduction_identity-management.md @@ -63 +63 @@ The IAM resource that's authorized in policies to perform actions and to access -An AWS account root user, IAM user or an IAM role that can make a request for an action or operation on an AWS resource. Principals include human users, workloads, federated users and assumed roles. After authentication, IAM grants the principal either permanent or temporary credentials to make requests to AWS, depending on the principal type. +An AWS account root user, IAM user or an IAM role that can make a request for an action or operation on an AWS resource. Principals include human users, workloads, federated principals, and assumed roles. After authentication, IAM grants the principal either permanent or temporary credentials to make requests to AWS, depending on the principal type. @@ -69 +69 @@ _Workloads_ are a collection of resources and code that delivers business value, -_Federated users_ are users whose identity and credentials are managed by another identity provider, such as Active Directory, Okta, or Microsoft Entra. +_Federated princiapls_ are users whose identity and credentials are managed by another identity provider, such as Active Directory, Okta, or Microsoft Entra. @@ -73 +73 @@ _IAM roles_ are an IAM identity that you can create in your account that has spe -IAM grants IAM users and the root user long-term credentials and IAM roles temporary credentials. Federated users and users in AWS IAM Identity Center assume IAM roles when they sign-in to AWS, which grants them temporary credentials. As a [best practice](./best-practices.html), we recommend that you require human users and workloads to access AWS resources using temporary credentials. +IAM grants IAM users and the root user long-term credentials and IAM roles temporary credentials. users in AWS IAM Identity Center, OIDC and SAML federated principals assume IAM roles when they sign-in to AWS, which grants them temporary credentials. As a [best practice](./best-practices.html), we recommend that you require human users and workloads to access AWS resources using temporary credentials. @@ -91 +91 @@ The main difference between these two types of users is that users in IAM Identi -If the users in your organization are already authenticated when they sign in to your corporate network, you don't have to create separate IAM users or users in IAM Identity Center for them. Instead, you can _federate_ those user identities into AWS using either IAM or AWS IAM Identity Center. Federated users assume an IAM role that gives them permissions to access specific resources. For more information about roles, see [Roles terms and concepts](./id_roles.html#id_roles_terms-and-concepts). +If the users in your organization are already authenticated when they sign in to your corporate network, you don't have to create separate IAM users or users in IAM Identity Center for them. Instead, you can _federate_ those user identities into AWS using either IAM or AWS IAM Identity Center. OIDC and SAML federated principals assume an IAM role that gives them permissions to access specific resources. For more information about roles, see [Roles terms and concepts](./id_roles.html#id_roles_terms-and-concepts). @@ -93 +93 @@ If the users in your organization are already authenticated when they sign in to - + @@ -125 +125 @@ Single sign-on access for people, such as your workforce users, to AWS resources -Federated access for human users, such as your workforce users, to AWS services using IAM identity providers (IdPs) | IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). After you create an IAM identity provider, create one or more IAM roles that can be dynamically assigned to a federated user. | For more information about IAM identity providers and federation, see [Identity providers and federation](./id_roles_providers.html). +Federated access for human users, such as your workforce users, to AWS services using IAM identity providers (IdPs) | IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). After you create an IAM identity provider, create one or more IAM roles that can be dynamically assigned to a federated principal. | For more information about IAM identity providers and federation, see [Identity providers and federation](./id_roles_providers.html). @@ -154 +154 @@ IAM users | Use long-term credentials to sign programmatic requests to the AWS C -Federated users | Use an AWS STS API operation to create a new session with temporary security credentials that include an access key pair and a session token. | For explanations of the API operations, see [Request temporary security credentials](./id_credentials_temp_request.html) +Federated principals | Use an AWS STS API operation to create a new session with temporary security credentials that include an access key pair and a session token. | For explanations of the API operations, see [Request temporary security credentials](./id_credentials_temp_request.html)