AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-13 · Documentation low

File: IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.md

Summary

Updated principal type specification from generic 'federated users' to 'AWS STS federated user principals' in cross-account access documentation.

Security assessment

This change adds specificity to principal types but doesn't address a security vulnerability. The update improves documentation accuracy for policy configuration, which could help prevent misconfigurations, but there's no direct evidence of a security issue being resolved.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.md b/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.md
index 12b145a2c..1cba339a1 100644
--- a//IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.md
+++ b//IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.md
@@ -11 +11 @@ You can allow a principal in one account to access resources in a second account
-To allow cross-account access, you attach a resource-based policy to the resource that you want to share. You must also attach an identity-based policy to the identity that acts as the principal in the request. The resource-based policy in the trusting account must specify the principal of the trusted account that will have access to the resource. You can specify the entire account or its IAM users, federated users, IAM roles, or assumed-role sessions. You can also specify an AWS service as a principal. For more information, see [How to specify a principal](./reference_policies_elements_principal.html#Principal_specifying). 
+To allow cross-account access, you attach a resource-based policy to the resource that you want to share. You must also attach an identity-based policy to the identity that acts as the principal in the request. The resource-based policy in the trusting account must specify the principal of the trusted account that will have access to the resource. You can specify the entire account or its IAM users, AWS STS federated user principals, IAM roles, or assumed-role sessions. You can also specify an AWS service as a principal. For more information, see [How to specify a principal](./reference_policies_elements_principal.html#Principal_specifying).