AWS singlesignon documentation change
Summary
Updated documentation with detailed CloudTrail event examples and error scenarios for SCIM API operations. Enhanced error message explanations and added troubleshooting guidance.
Security assessment
The changes improve documentation around CloudTrail logging for SCIM operations, which supports security monitoring and auditing capabilities. While this enhances security visibility, there's no evidence of addressing a specific vulnerability. The token rotation note (pre-Sept 2024) appears to be a general maintenance requirement rather than a security patch.
Diff
diff --git a/singlesignon/latest/userguide/scim-logging-using-cloudtrail.md b/singlesignon/latest/userguide/scim-logging-using-cloudtrail.md index 0a61604f2..8d5ac8186 100644 --- a//singlesignon/latest/userguide/scim-logging-using-cloudtrail.md +++ b//singlesignon/latest/userguide/scim-logging-using-cloudtrail.md @@ -5 +5 @@ -ExamplesCommon Error Messages +Example CloudTrail eventsCommon SCIM API validation errors in IAM Identity Center @@ -13 +13 @@ ExamplesCommon Error Messages -CloudTrail is enabled on your AWS account when you create the account. However, you may need to rotate your access token to be able to see events from SCIM, if your token was created prior to September 2024. +CloudTrail is enabled on your AWS account when you create the account. However, you might need to rotate your access token to see events from SCIM, if your token was created prior to September 2024. @@ -52 +52 @@ SCIM supports logging for the following operations as events in CloudTrail: -## Examples +## Example CloudTrail events @@ -54 +54 @@ SCIM supports logging for the following operations as events in CloudTrail: -The following are some examples of CloudTrail events. +The following examples demonstrate typical CloudTrail event logs generated during SCIM operations with IAM Identity Center. These examples show the structure and content of events for successful operations and common error scenarios, helping you understand how to interpret CloudTrail logs when troubleshooting SCIM provisioning issues. @@ -56 +56,3 @@ The following are some examples of CloudTrail events. -**Example 1:** Event from a successful `CreateUser` call. +### Successful `CreateUser` operation + +This CloudTrail event shows a successful `CreateUser` operation performed through the SCIM API. The event captures both the request parameters (with sensitive information masked) and the response elements, including the newly-created user's ID. This type of event is generated when an identity provider successfully provisions a new user to IAM Identity Center using the SCIM protocol. @@ -117 +119,3 @@ The following are some examples of CloudTrail events. -**Example 2:** Event from `PatchGroup` resulting in `Missing path in PATCH request` error message due to missing path. +### Failed `PatchGroup` operation: Missing required path attribute + +This CloudTrail event shows a failed `PatchGroup` operation that resulted in a `ValidationException` with the error message `"Missing path in PATCH request"`. The error occurred because the `PATCH` operation requires a path attribute to specify which group attribute to modify, but this attribute was missing from the request. @@ -164 +168,3 @@ The following are some examples of CloudTrail events. -**Example 3:** Event from `CreateGroup` call resulting in `Duplicate GroupDisplayName` error message as the name of the group that's trying to be created exists. +### Failed `CreateGroup` operation: Group name already exists + +This CloudTrail event shows a failed `CreateGroup` operation that resulted in a `ConflictException` with the error message `"Duplicate GroupDisplayName"`. This error occurs when attempting to create a group with a display name that already exists in IAM Identity Center. The identity provider must use a unique group name or update the existing group instead of creating a new one. @@ -202 +208,3 @@ The following are some examples of CloudTrail events. -**Example 4:** Event from `PatchUser` call resulting in an `List attribute emails exceeds allowed limit of 1 error` error message. Users can only have one email address. +### Failed `PatchUser` operation: Multiple email addresses not supported + +This CloudTrail event shows a failed `PatchUser` operation that resulted in a `ValidationException` with the error message `"List attribute emails exceeds allowed limit of 1"`. This error occurs when attempting to assign multiple email addresses to a user, as IAM Identity Center supports only one email address per user. The identity provider must configure SCIM mapping to send only a single email address for each user. @@ -249 +257,3 @@ The following are some examples of CloudTrail events. -## Common Error Messages +## Common SCIM API validation errors in IAM Identity Center + +The following validation error messages commonly appear in CloudTrail events when using the SCIM API with IAM Identity Center. These validation errors typically occur during user and group provisioning operations. @@ -251 +261 @@ The following are some examples of CloudTrail events. -The following are common validation error messages you can receive in CloudTrail events for IAM Identity Center SCIM API calls: +For detailed guidance on resolving these errors and properly configuring SCIM provisioning, see this [AWS re:Post article](https://repost.aws//knowledge-center/iam-identity-center-provision). @@ -270,2 +279,0 @@ The following are common validation error messages you can receive in CloudTrail -For more information on troubleshooting IAM Identity Center SCIM provisioning errors, see this [AWS re:Post article](https://repost.aws//knowledge-center/iam-identity-center-provision). -