AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-13 · Documentation low

File: IAM/latest/UserGuide/reference_policies_elements_principal.md

Summary

Updated terminology from 'federated user sessions' to 'federated user principals' and clarified distinctions between federation methods. Adjusted references to session principals to better align with IAM concepts.

Security assessment

The changes primarily improve terminology consistency rather than addressing security vulnerabilities. While they reinforce security best practices (like avoiding root user credentials), there's no evidence of a specific security vulnerability being patched. The updates help clarify security concepts but don't introduce new security documentation.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_elements_principal.md b/IAM/latest/UserGuide/reference_policies_elements_principal.md
index 0a281c6b9..bd2988025 100644
--- a//IAM/latest/UserGuide/reference_policies_elements_principal.md
+++ b//IAM/latest/UserGuide/reference_policies_elements_principal.md
@@ -62 +62 @@ You can specify any of the following principals in a policy:
-  * Federated user sessions
+  * Federated user principals
@@ -237 +237 @@ You can specify _federated user sessions_ in the `Principal` element of a resour
-AWS recommends that you use AWS STS federated user sessions only when necessary, such as when [root user access is required](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). Instead, [use roles to delegate permissions](./tutorial_cross-account-with-roles.html).
+AWS recommends that you use AWS STS federated user principals only when necessary, such as when [root user access is required](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). Instead, [use roles to delegate permissions](./tutorial_cross-account-with-roles.html).
@@ -239 +239 @@ AWS recommends that you use AWS STS federated user sessions only when necessary,
-An AWS STS federated user session principal is created through the `GetFederationToken` operation, but it differs fundamentally from federated role session principals (created via `AssumeRoleWithSAML` or `AssumeRoleWithWebIdentity`). In this case, AWS STS uses [identity federation](https://aws.amazon.com/identity/federation/) as the method to obtain temporary access tokens instead of using IAM roles. Unlike role-based federation methods, `GetFederationToken` requires authentication using user’s AWS long-term credentials before obtaining temporary security credentials. While the operation can be called using either IAM user credentials or AWS account root user credentials, the latter is strongly discouraged for security reasons. For more information, see [Follow best practices to protect your root user credentials](./best-practices.html#lock-away-credentials) in the _IAM User Guide_. 
+An AWS STS federated user principal is created through the `GetFederationToken` operation, but it differs fundamentally from federated role session principals (created via `AssumeRoleWithSAML` or `AssumeRoleWithWebIdentity`). In this case, AWS STS uses [identity federation](https://aws.amazon.com/identity/federation/) as the method to obtain temporary access tokens instead of using IAM roles. Unlike role-based federation methods, `GetFederationToken` requires authentication using user’s AWS long-term credentials before obtaining temporary security credentials. While the operation can be called using either IAM user credentials or AWS account root user credentials, the latter is strongly discouraged for security reasons. For more information, see [Follow best practices to protect your root user credentials](./best-practices.html#lock-away-credentials) in the _IAM User Guide_. 
@@ -245 +245 @@ In AWS, IAM users or an AWS account root user can authenticate using long-term a
-  * **IAM federated user** – An IAM user federates using the `GetFederationToken` operation that results in a federated user session principal for that IAM user.
+  * **IAM federated user** – An IAM user federates using the `GetFederationToken` operation that results in a federated user session for that IAM user.
@@ -247 +247 @@ In AWS, IAM users or an AWS account root user can authenticate using long-term a
-  * **Federated root user** – A root user federates using the `GetFederationToken` operation that results in a federated user session principal for that root user.
+  * **Federated root user** – A root user federates using the `GetFederationToken` operation that results in a federated user session for that root user.