AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-07-04 · Documentation low

File: IAM/latest/UserGuide/reference_policies_condition-keys.md

Summary

Updated documentation for aws:CalledVia condition key to reference forward access sessions (FAS) and removed service principal list

Security assessment

The change adds documentation about forward access sessions (FAS) which relates to credential delegation patterns. While this explains security-relevant behavior, there's no evidence of addressing a specific vulnerability. The removal of explicit service principal list might impact policy authors but doesn't directly indicate a security fix.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md
index 47eb6dcca..fad3bed31 100644
--- a//IAM/latest/UserGuide/reference_policies_condition-keys.md
+++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md
@@ -1578 +1578 @@ Use the following condition keys to compare details about the request itself and
-Use this key to compare the services in the policy with the services that made requests on behalf of the IAM principal (user or role). When a principal makes a request to an AWS service, that service might use the principal's credentials to make subsequent requests to other services. The `aws:CalledVia` key contains an ordered list of each service in the chain that made requests on the principal's behalf.
+Use this key to compare the services in the policy with the services that made requests on behalf of the IAM principal (user or role). When a principal makes a request to an AWS service, that service might use the principal's credentials to make subsequent requests to other services. When the request is made using forward access sessions (FAS), this key is set with the value of the service principal. The `aws:CalledVia` key contains an ordered list of each service in the chain that made requests on the principal's behalf.
@@ -1580 +1580 @@ Use this key to compare the services in the policy with the services that made r
-For example, you can use AWS CloudFormation to read and write from an Amazon DynamoDB table. DynamoDB then uses encryption supplied by AWS Key Management Service (AWS KMS).
+For more information, see [Forward access sessions](./access_forward_access_sessions.html).
@@ -1591,27 +1591 @@ For example, you can use AWS CloudFormation to read and write from an Amazon Dyn
-To use the `aws:CalledVia` condition key in a policy, you must provide the service principals to allow or deny AWS service requests. AWS supports using the following service principals with `aws:CalledVia`.
-
-Service principal  
----  
-aoss.amazonaws.com  
-athena.amazonaws.com  
-backup.amazonaws.com  
-cloud9.amazonaws.com  
-cloudformation.amazonaws.com  
-databrew.amazonaws.com  
-dataexchange.amazonaws.com  
-dynamodb.amazonaws.com  
-imagebuilder.amazonaws.com  
-kms.amazonaws.com  
-mgn.amazonaws.com  
-nimble.amazonaws.com  
-omics.amazonaws.com  
-ram.amazonaws.com  
-robomaker.amazonaws.com  
-servicecatalog-appregistry.amazonaws.com  
-servicediscovery.amazonaws.com  
-sqlworkbench.amazonaws.com  
-ssm-guiconnect.amazonaws.com  
-  
-###### Note
-
-Using unsupported service principals with this condition key may cause access control failures. Use only supported service principals listed in the documentation.
+To use the `aws:CalledVia` condition key in a policy, you must provide the service principals to allow or deny AWS service requests. For example, you can use AWS CloudFormation to read and write from an Amazon DynamoDB table. DynamoDB then uses encryption supplied by AWS Key Management Service (AWS KMS).