AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-07-04 · Documentation low

File: IAM/latest/UserGuide/id_users.md

Summary

Added guidance advising against including personally identifying information in IAM user names due to their appearance in ARNs

Security assessment

The change adds security documentation about protecting sensitive information by avoiding PII in IAM names. While not addressing a specific vulnerability, it provides security best practices guidance.

Diff

diff --git a/IAM/latest/UserGuide/id_users.md b/IAM/latest/UserGuide/id_users.md
index 3fcb8d0e2..f653dcf9b 100644
--- a//IAM/latest/UserGuide/id_users.md
+++ b//IAM/latest/UserGuide/id_users.md
@@ -21 +21 @@ When you create an IAM user, IAM creates these ways to identify that user:
-  * A "friendly name" for the IAM user, which is the name that you specified when you created the IAM user, such as `Richard` or `Anaya`. These are the names you see in the AWS Management Console. 
+  * A "friendly name" for the IAM user, which is the name that you specified when you created the IAM user, such as `Richard` or `Anaya`. These are the names you see in the AWS Management Console. Because IAM user names appear in Amazon Resource Names (ARNs), we do not recommend including personally identifying information in the IAM name. Refer to [IAM name requirements](./reference_iam-quotas.html#reference_iam-quotas-names) for requirements and restrictions for IAM names.