AWS IAM documentation change
Summary
Added multiple JSON policy examples with SAML condition keys and China region references
Security assessment
Adds documentation examples of security-focused SAML assertions including 'saml:aud' validation and persistent session conditions, but doesn't fix vulnerabilities.
Diff
diff --git a/IAM/latest/UserGuide/id_roles_providers_saml.md b/IAM/latest/UserGuide/id_roles_providers_saml.md index d235f03b2..be3fdd835 100644 --- a//IAM/latest/UserGuide/id_roles_providers_saml.md +++ b//IAM/latest/UserGuide/id_roles_providers_saml.md @@ -124,0 +125,6 @@ The roles that you create in IAM define what SAML federated principals from your +JSON + + +**** + + @@ -134 +140,25 @@ The roles that you create in IAM define what SAML federated principals from your - "saml:aud": "https://us-west-2.signin.aws.amazon.com/saml", + "saml:aud": "https://.signin.aws.amazon.com/saml", + "saml:iss": "https://openidp.feide.no" + }, + "ForAllValues:StringLike": {"saml:edupersonaffiliation": ["staff"]} + } + }] + } + + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [{ + "Effect": "Allow", + "Principal": {"Federated": "arn:aws-cn:iam::account-id:saml-provider/ExampleOrgSSOProvider"}, + "Action": "sts:AssumeRoleWithSAML", + "Condition": { + "StringEquals": { + "saml:aud": "https://ap-east-1.signin.amazonaws.cn/saml", @@ -189,0 +221,6 @@ The following example shows a permission policy that uses the preceding keys to +JSON + + +**** + + @@ -207,0 +245,26 @@ The following example shows a permission policy that uses the preceding keys to + +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": [ + "arn:aws-cn:s3:::amzn-s3-demo-bucket-org-data/backup/${saml:namequalifier}/${saml:sub}", + "arn:aws-cn:s3:::amzn-s3-demo-bucket-org-data/backup/${saml:namequalifier}/${saml:sub}/*" + ], + "Condition": {"StringEquals": {"saml:sub_type": "persistent"}} + } + } + +