AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-19 · Documentation low

File: IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md

Summary

Updated service integration details for Amazon DataZone and added Multi-party approval section with ABAC condition key guidance

Security assessment

Adds documentation about security controls (ABAC condition keys) and service integrations that support authorization mechanisms. Enhances security documentation but doesn't address a specific vulnerability.

Diff

diff --git a/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md b/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md
index 40399ce59..75d636b45 100644
--- a//IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md
+++ b//IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md
@@ -150 +150 @@ The AWS services listed below are grouped alphabetically and include information
-[Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/what-is-datazone.html) |  Yes |  No |  No |  No |  Yes |  No  
+[Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/security-iam.html) |  Yes |  Yes |  No |  Yes |  Yes |  No  
@@ -320,0 +321 @@ The AWS services listed below are grouped alphabetically and include information
+[Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/security-iam.html) |  Yes |  Yes |  No |  Partial (Info) |  Yes |  No  
@@ -528,0 +530,13 @@ You can attach a cluster policy to an Amazon MSK cluster that has been configure
+### Multi-party approval
+
+For Multi-party approval identity sources and approval teams, you can use all three ABAC condition keys: `aws:ResourceTag/`key-name``, `aws:RequestTag/`key-name``, and `aws:TagKeys`.
+
+For sessions, you can only use the `aws:ResourceTag/`key-name`` condition key because:
+
+  * Sessions are not directly taggable resources.
+
+  * Sessions inherit tags from the approval team associated with them.
+
+
+
+