AWS IAM documentation change
Summary
Updated service integration details for Amazon DataZone and added Multi-party approval section with ABAC condition key guidance
Security assessment
Adds documentation about security controls (ABAC condition keys) and service integrations that support authorization mechanisms. Enhances security documentation but doesn't address a specific vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md b/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md index 40399ce59..75d636b45 100644 --- a//IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md +++ b//IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.md @@ -150 +150 @@ The AWS services listed below are grouped alphabetically and include information -[Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/what-is-datazone.html) | Yes | No | No | No | Yes | No +[Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/security-iam.html) | Yes | Yes | No | Yes | Yes | No @@ -320,0 +321 @@ The AWS services listed below are grouped alphabetically and include information +[Multi-party approval](https://docs.aws.amazon.com/mpa/latest/userguide/security-iam.html) | Yes | Yes | No | Partial (Info) | Yes | No @@ -528,0 +530,13 @@ You can attach a cluster policy to an Amazon MSK cluster that has been configure +### Multi-party approval + +For Multi-party approval identity sources and approval teams, you can use all three ABAC condition keys: `aws:ResourceTag/`key-name``, `aws:RequestTag/`key-name``, and `aws:TagKeys`. + +For sessions, you can only use the `aws:ResourceTag/`key-name`` condition key because: + + * Sessions are not directly taggable resources. + + * Sessions inherit tags from the approval team associated with them. + + + +