AWS IAM documentation change
Summary
Replaced references to 'federated users' with 'federated principals' and updated explanations to match terminology
Security assessment
The changes standardize terminology but do not modify security controls or address vulnerabilities. The policy logic remains unchanged, only the descriptive text is updated for clarity.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_examples_s3_federated-home-directory-console.md b/IAM/latest/UserGuide/reference_policies_examples_s3_federated-home-directory-console.md index f04e902ba..6750a5d07 100644 --- a//IAM/latest/UserGuide/reference_policies_examples_s3_federated-home-directory-console.md +++ b//IAM/latest/UserGuide/reference_policies_examples_s3_federated-home-directory-console.md @@ -5 +5 @@ -# Amazon S3: Allows federated users access to their S3 home directory, programmatically and in the console +# Amazon S3: Allows federated users access to their Amazon S3 home directory, programmatically and in the console @@ -7 +7 @@ -This example shows how you might create an identity-based policy that allows federated users to access their own home directory bucket object in S3. The home directory is a bucket that includes a `home` folder and folders for individual federated users. This policy defines permissions for programmatic and console access. To use this policy, replace the `italicized placeholder text` in the example policy with your own information. Then, follow the directions in [create a policy](./access_policies_create.html) or [edit a policy](./access_policies_manage-edit.html). +This example shows how you might create an identity-based policy that allows federated principals to access their own home directory bucket object in S3. The home directory is a bucket that includes a `home` folder and folders for individual federated principals. This policy defines permissions for programmatic and console access. To use this policy, replace the `italicized placeholder text` in the example policy with your own information. Then, follow the directions in [create a policy](./access_policies_create.html) or [edit a policy](./access_policies_manage-edit.html). @@ -9 +9 @@ This example shows how you might create an identity-based policy that allows fed -The `${aws:userid}` variable in this policy resolves to `role-id:specified-name`. The `role-id` part of the federated user ID is a unique identifier assigned to the federated user's role during creation. For more information, see [Unique identifiers](./reference_identifiers.html#identifiers-unique-ids). The `specified-name` is the [RoleSessionName parameter](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_RequestParameters) passed to the `AssumeRoleWithWebIdentity` request when the federated user assumed their role. +The `${aws:userid}` variable in this policy resolves to `role-id:specified-name`. The `role-id` part of the federated principal ID is a unique identifier assigned to the federated principal's role during creation. For more information, see [Unique identifiers](./reference_identifiers.html#identifiers-unique-ids). The `specified-name` is the [RoleSessionName parameter](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_RequestParameters) passed to the `AssumeRoleWithWebIdentity` request when the federated principal assumed their role. @@ -11 +11 @@ The `${aws:userid}` variable in this policy resolves to `role-id:specified-name` -You can view the role ID using the AWS CLI command `aws iam get-role --role-name `specified-name``. For example, imagine that you specify the friendly name `John` and the CLI returns the role ID `AROAXXT2NJT7D3SIQN7Z6`. In this case, the federated user ID is `AROAXXT2NJT7D3SIQN7Z6:John`. This policy then allows the federated user John to access the Amazon S3 bucket with prefix `AROAXXT2NJT7D3SIQN7Z6:John`. +You can view the role ID using the AWS CLI command `aws iam get-role --role-name `specified-name``. For example, imagine that you specify the friendly name `John` and the CLI returns the role ID `AROAXXT2NJT7D3SIQN7Z6`. In this case, the federated principal's user ID is `AROAXXT2NJT7D3SIQN7Z6:John`. This policy then allows the federated principal John to access the Amazon S3 bucket with prefix `AROAXXT2NJT7D3SIQN7Z6:John`.