AWS singlesignon documentation change
Summary
Added documentation for SCIM API CloudTrail events, updated service authorization references, and consolidated event coverage information
Security assessment
Added SCIM API logging documentation improves audit capabilities but doesn't address a specific vulnerability. Link updates suggest improved accuracy rather than security fixes. The change enhances security visibility by documenting additional API operations tracked in CloudTrail.
Diff
diff --git a/singlesignon/latest/userguide/sso-info-in-cloudtrail.md b/singlesignon/latest/userguide/sso-info-in-cloudtrail.md index b8d55d3d3..9ae50a6fd 100644 --- a//singlesignon/latest/userguide/sso-info-in-cloudtrail.md +++ b//singlesignon/latest/userguide/sso-info-in-cloudtrail.md @@ -5 +5 @@ -CloudTrail events of IAM Identity Center API operationsCloudTrail events of Identity Store API operationsCloudTrail events of OIDC API operationsCloudTrail events of AWS access portal API operationsIdentity information in IAM Identity Center CloudTrail events +CloudTrail events of IAM Identity Center API operationsCloudTrail events of Identity Store API operationsCloudTrail events of OIDC API operationsCloudTrail events of AWS access portal API operationsCloudTrail events of SCIM API operationsIdentity information in IAM Identity Center CloudTrail events @@ -41,0 +42,2 @@ The following sections provide information about the CloudTrail events associate + * SCIM API + @@ -49 +51 @@ The following list contains the CloudTrail events that the public IAM Identity C -You might find additional events in CloudTrail for IAM Identity Center console API operations that the console relies on. For more information about these console APIs, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html). +You might find additional events in CloudTrail for IAM Identity Center console API operations that the console relies on. For more information about these console APIs, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycenter.html). @@ -204 +206 @@ The following list contains the CloudTrail events that the public Identity Store -You might see additional events in CloudTrail for the Identity Store console API operations with the `sso-directory.amazonaws.com` event source. These APIs support the console and AWS access portal. If you need to detect the occurrence of a particular operation, such as adding member to a group, we recommend you consider both public and console API operations. For more information about these console APIs, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html). +You might find additional events in CloudTrail for the Identity Store console API operations with the `sso-directory.amazonaws.com` event source. These APIs support the console and AWS access portal. If you need to detect the occurrence of a particular operation, such as adding member to a group, we recommend you consider both public and console API operations. For more information about these console APIs, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html). @@ -280,0 +283,4 @@ The following list contains the CloudTrail events that the AWS access portal API +## CloudTrail events of SCIM API operations + +For information about public SCIM API operations, see [AWS access portal API Reference](./scim-logging-using-cloudtrail.html). + @@ -291 +297 @@ Every event or log entry contains information about who generated the request. T - * Whether the request was made by an IAM Identity Center user. If so, the `userId` and `identityStoreArn` fields are available in the CloudTrail events to identify the IAM Identity Center user who initiated the request. For more information, see [Identifying the user and session in IAM Identity Center user-initiated CloudTrail events ](./sso-cloudtrail-use-cases.html#user-session-iam-identity-center). + * Whether the request was made by an IAM Identity Center user. If so, the `userId` and `identityStoreArn` fields are available in the CloudTrail events to identify the IAM Identity Center user who initiated the request. For more information, see [Identifying the user in IAM Identity Center user-initiated CloudTrail events ](./sso-cloudtrail-use-cases.html#user-session-iam-identity-center). @@ -300,8 +306 @@ For more information, see the [CloudTrail userIdentity element](https://docs.aws -Currently, IAM Identity Center doesn't emit CloudTrail events for the following actions: - - * User sign-in to AWS managed web applications (for example, Amazon SageMaker AI Studio) with the [OIDC API](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). These web applications are a subset of the broader set of [AWS managed applications](./awsapps.html), which also include non-web applications such as Amazon Athena SQL and Amazon S3 Access Grants. - - * Retrieval of user and group attributes by AWS managed applications with the [Identity Store API.](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html) - - - +Currently, IAM Identity Center doesn't emit CloudTrail events for user sign-in to AWS managed web applications (for example, Amazon SageMaker AI Studio) with the [OIDC API](https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). These web applications are a subset of the broader set of [AWS managed applications](./awsapps.html), which also include non-web applications such as Amazon Athena SQL and Amazon S3 Access Grants.