AWS IAM documentation change
Summary
Updated references to 'federated user' to 'federated user principal' and expanded SAML/OIDC federation documentation
Security assessment
The addition of OIDC federation support documentation clarifies security-related features for federated access. While this improves accuracy and expands coverage of security mechanisms, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md index 847b0ad7a..8f5c3f17a 100644 --- a//IAM/latest/UserGuide/reference_policies_condition-keys.md +++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md @@ -99 +99 @@ Use this key to compare the [Amazon Resource Name](./reference_identifiers.html# - * AWS STS federated user session + * AWS STS federated user principal @@ -119 +119 @@ AWS recommends that you use [ARN operators](./reference_policies_elements_condit - * **AWS STS federated user sessions** – The request context contains the following value for condition key `aws:PrincipalArn`. + * **AWS STS federated user principals** – The request context contains the following value for condition key `aws:PrincipalArn`. @@ -172 +172 @@ In the following example, access is denied except to principals with the account -Use this key to compare the AWS Organizations path for the principal who is making the request to the path in the policy. That principal can be an IAM user, IAM role, federated user, or AWS account root user. In a policy, this condition key ensures that the requester is an account member within the specified organization root or organizational units (OUs) in AWS Organizations. An AWS Organizations path is a text representation of the structure of an AWS Organizations entity. For more information about using and understanding paths, see [Understand the AWS Organizations entity path](./access_policies_last-accessed-view-data-orgs.html#access_policies_last-accessed-viewing-orgs-entity-path). +Use this key to compare the AWS Organizations path for the principal who is making the request to the path in the policy. That principal can be an IAM user, IAM role, AWS STS federated user principal, or AWS account root user. In a policy, this condition key ensures that the requester is an account member within the specified organization root or organizational units (OUs) in AWS Organizations. An AWS Organizations path is a text representation of the structure of an AWS Organizations entity. For more information about using and understanding paths, see [Understand the AWS Organizations entity path](./access_policies_last-accessed-view-data-orgs.html#access_policies_last-accessed-viewing-orgs-entity-path). @@ -454 +454 @@ Use this key to compare the requester's user name with the user name that you sp -Use the following condition keys to compare properties of the role session at the time the session was generated. These condition keys are only available when a request is made by a principal with role session or federated user credentials. The values for these condition keys are embedded in the role’s session token. +Use the following condition keys to compare properties of the role session at the time the session was generated. These condition keys are only available when a request is made by a principal with role session or federated user principal credentials. The values for these condition keys are embedded in the role’s session token. @@ -2238 +2238 @@ This key should be used carefully. Since the `aws:UserAgent` value is provided b -AWS STS supports [SAML-based federation condition keys](./reference_policies_iam-condition-keys.html#condition-keys-saml) and cross-service condition keys for [OIDC federation](./reference_policies_iam-condition-keys.html#condition-keys-wif). These keys are available when a user who was federated using SAML performs AWS operations in other services. +AWS STS supports [SAML-based federation condition keys](./reference_policies_iam-condition-keys.html#condition-keys-saml) and cross-service condition keys for [OIDC federation](./reference_policies_iam-condition-keys.html#condition-keys-wif). These keys are available when a user who was federated using OIDC or SAML performs AWS operations in other services.