AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-08-13 · Documentation medium

File: singlesignon/latest/userguide/sso-cloudtrail-use-cases.md

Summary

Added documentation for identifying user background sessions in CloudTrail events, including OAuth token exchange details and resource ARN tracking. Minor grammar fixes ('you're' to 'you are').

Security assessment

The new section explains how CloudTrail logs capture background session details (refresh tokens and job ARNs), which improves auditability and monitoring capabilities. While this enhances security visibility, there is no evidence of addressing a specific vulnerability.

Diff

diff --git a/singlesignon/latest/userguide/sso-cloudtrail-use-cases.md b/singlesignon/latest/userguide/sso-cloudtrail-use-cases.md
index 5ddc46816..c64049a3c 100644
--- a//singlesignon/latest/userguide/sso-cloudtrail-use-cases.md
+++ b//singlesignon/latest/userguide/sso-cloudtrail-use-cases.md
@@ -5 +5 @@
-Identifying the user in IAM Identity Center user-initiated CloudTrail events Correlating user events within the same user sessionCorrelating users between IAM Identity Center and external directoriesViewing usersViewing a user’s SID
+Identifying the user in IAM Identity Center user-initiated CloudTrail events Correlating user events within the same user sessionIdentifying user background session details in IAM Identity Center user-initiated CloudTrail eventsCorrelating users between IAM Identity Center and external directoriesViewing usersViewing a user’s SID
@@ -60 +60 @@ To determine the Identity Store ID value for the CLI command in the previous exa
-If you're automating the lookup of users in the IAM Identity Center directory, we recommend that you estimate the frequency of user lookups, and consider the [IAM Identity Center throttle limit on the Identity Store API](./limits.html#ssodirectorylimits). Caching retrieved user attributes can help you stay within the throttle limit.
+If you are automating the lookup of users in the IAM Identity Center directory, we recommend that you estimate the frequency of user lookups, and consider the [IAM Identity Center throttle limit on the Identity Store API](./limits.html#ssodirectorylimits). Caching retrieved user attributes can help you stay within the throttle limit.
@@ -71,0 +72,20 @@ You can't use `credentialId` to correlate sign-in events to the subsequent event
+## Identifying user background session details in IAM Identity Center user-initiated CloudTrail events
+
+The following CloudTrail event captures the process of OAuth 2.0 token exchange, in which an existing access token (the `subjectToken`) that represents the user's interactive session is exchanged for a refresh token (the `requestedTokenType`). The refresh token allows any user initiated long-running jobs to continue running with the user's permissions, even after the user signs out. 
+
+For IAM Identity Center [user background sessions](./user-background-sessions.html), the CloudTrail event includes an additional element called `resource` in the `requestParameters` element. The `resource` parameter contains the Amazon Resource Name (ARN) of the job that runs in the background. This element is only present in CloudTrail event records and is not included in IAM Identity Center API or SDK responses.
+    
+    
+    {
+      "clientId": "EXAMPLE-CLIENT-ID",
+      "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
+      "code": "HIDDEN_DUE_TO_SECURITY_REASONS",
+      "redirectUri": "https://example.com/callback",
+      "assertion": "HIDDEN_DUE_TO_SECURITY_REASONS",
+      "subjectToken": "HIDDEN_DUE_TO_SECURITY_REASONS",
+      "subjectTokenType": "urn:ietf:params:oauth:token-type:access_token",
+      "requestedTokenType": "urn:ietf:params:oauth:token-type:refresh_token",
+      "resource": "arn:aws:sagemaker:us-west-2:123456789012:training-job/my-job"
+    }
+    
+
@@ -105 +125 @@ You can retrieve user attributes from the IAM Identity Center directory for a kn
-Similarly, you can use the same mechanism when you know the `externalId`. Update the attribute path in the previous example with the `externalId` value, and the attribute value with the specific `externalId` for which you're searching.
+Similarly, you can use the same mechanism when you know the `externalId`. Update the attribute path in the previous example with the `externalId` value, and the attribute value with the specific `externalId` for which you are searching.
@@ -115 +135 @@ You can view these mappings in the IAM Identity Center console. Navigate to the
-While you can use any unique AD user identifier available in IAM Identity Center to look up a user in AD, we recommend using the `objectguid` in your queries because it's an immutable identifier. The following example shows how to query Microsoft AD with Powershell to retrieve a user using the user’s `objectguid` value of `16809ecc-7225-4c20-ad98-30094aefdbca`. A successful response to this query includes the user’s SID.
+While you can use any unique AD user identifier available in IAM Identity Center to look up a user in AD, we recommend using the `objectguid` in your queries because it is an immutable identifier. The following example shows how to query Microsoft AD with Powershell to retrieve a user using the user’s `objectguid` value of `16809ecc-7225-4c20-ad98-30094aefdbca`. A successful response to this query includes the user’s SID.