AWS Security ChangesHomeSearch

AWS singlesignon medium security documentation change

Service: singlesignon · 2025-06-13 · Security-related medium

File: singlesignon/latest/userguide/authconcept.md

Summary

Updated documentation about user access termination timelines and session behaviors when disabling/deleting users or revoking sessions. Added structured tables explaining access revocation timelines for different administrative actions.

Security assessment

The changes clarify critical security implications of user management actions, specifically detailing how long compromised credentials or unauthorized access might remain active after administrative actions. The documentation now explicitly states that IAM role sessions can persist for up to 12 hours after user disablement/deletion, which is crucial for understanding session persistence risks. This constitutes concrete security documentation about access control timelines.

Diff

diff --git a/singlesignon/latest/userguide/authconcept.md b/singlesignon/latest/userguide/authconcept.md
index 2caedea2f..b6004b05c 100644
--- a//singlesignon/latest/userguide/authconcept.md
+++ b//singlesignon/latest/userguide/authconcept.md
@@ -19 +19 @@ When the user uses IAM Identity Center to access the AWS Management Console or A
-IAM Identity Center does not support SAML Single Logout initiated by an identity provider that acts as your identity source, and it does not send SAML Single Logout to SAML applications that use IAM Identity Center as an Identity provider.
+IAM Identity Center does not support SAML Single Logout initiated by an identity provider that acts as your identity source, and it does not send SAML Single Logout to SAML applications that use IAM Identity Center as an identity provider.
@@ -21 +21 @@ IAM Identity Center does not support SAML Single Logout initiated by an identity
-When you disable or delete a user in IAM Identity Center, that user will immediately be prevented from signing in to create new IAM Identity Center sign in sessions. When you revoke a user sign-in session, the user must sign-in again.
+When an IAM Identity Center administrator [deletes](./deleteusers.html) or [disables](./disableuser.html) a user, the user will immediately lose access to the AWS access portal and be prevented from signing back in to start a new application or IAM role session. The user will lose access to existing application sessions within 30 minutes. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours.
@@ -23 +23 @@ When you disable or delete a user in IAM Identity Center, that user will immedia
-When an IAM Identity Center administrator deletes or disables a user, the user will immediately lose access to the AWS access portal. Existing application sessions will lose access within 30 minutes following deletion or being disabled. In some cases, it can take up to 1 hour for existing applications to lose access. 
+When an IAM Identity Center administrator [revokes a user's session](./delete-user-session.html) or when a user signs out, the user will immediately lose access to the AWS access portal and be required to sign back in to start a new application or IAM role session. The user will lose access to existing application sessions within 30 minutes. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours.
@@ -25 +25 @@ When an IAM Identity Center administrator deletes or disables a user, the user w
-Any existing IAM role sessions will continue based on the duration configured in the IAM Identity Center permission set which can be configured up to 12 hours. This behavior also applies when a user session is revoked or the user signs out.
+The following table summarizes the previously described IAM Identity Center behaviors:
@@ -27,14 +27,6 @@ Any existing IAM role sessions will continue based on the duration configured in
-The following table summarizes IAM Identity Center behaviors:
-
-User experience / system behavior | Time after user disabled / deleted | Time after user session revoked / signs out   
----|---|---  
-User can no longer sign in IAM Identity Center | Effective immediately | _Not applicable_  
-User can no longer start new application or IAM role sessions via IAM Identity Center | Effective immediately | Effective immediately  
-User can no longer access any applications (all application sessions are terminated by the administrator or the user signs out) | Up to 30 minutes * | Up to 30 minutes *  
-User can no longer access any AWS accounts through IAM Identity Center | Up to 12 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set) | Up to 12 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set)  
-  
-* In some cases, for example service disruption, it can take up to an hour to lose application access.
-
-For more information about sessions, see [Set session duration for AWS accounts](./howtosessionduration.html).
-
-###### Topics
+Action | User loses IAM Identity Center access | User can't create new application sessions | User can't access existing application sessions | User loses access to existing AWS account sessions  
+---|---|---|---|---  
+User disabled | Effective immediately | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.  
+User deleted | Effective immediately | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.  
+User session revoked | User must sign in again to regain access | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.  
+User signs out | User must sign in again to regain access | Effective immediately | Within 30 minutes | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.  
@@ -41,0 +34 @@ For more information about sessions, see [Set session duration for AWS accounts]
+When an IAM Identity Center administrator [removes application access](./removeaccessfromapp.html), the user will lose access to existing applications. The user's access to existing applications is lost within an hour following application access removal. Any existing IAM role sessions will continue based on the session duration configured in the IAM Identity Center permission set. The maximum session duration can be 12 hours.
@@ -42,0 +36 @@ For more information about sessions, see [Set session duration for AWS accounts]
+The following table summarizes the previously described IAM Identity Center behaviors:
@@ -43,0 +38,5 @@ For more information about sessions, see [Set session duration for AWS accounts]
+Action | User loses IAM Identity Center access  | User can't create new application sessions | User can't access existing application sessions | User loses access to existing AWS account sessions  
+---|---|---|---|---  
+Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.  
+User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Within 1 hour | Within 2 hours | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.  
+Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or lower. Duration depends on IAM role session expiry duration configured for the permission set.