AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-08-25 · Security-related medium

File: IAM/latest/UserGuide/id_roles.md

Summary

Updated role chaining documentation to include AWS Management Console method and clarify 1-hour session limit enforcement

Security assessment

The change explicitly enforces a 1-hour maximum session duration for role chaining across all methods (including Console), regardless of role settings. This is a security control to limit credential exposure time. The documentation now highlights a security boundary that prevents extended sessions via role chaining, reducing the attack surface for compromised temporary credentials.

Diff

diff --git a/IAM/latest/UserGuide/id_roles.md b/IAM/latest/UserGuide/id_roles.md
index a12e123bb..ac1f75188 100644
--- a//IAM/latest/UserGuide/id_roles.md
+++ b//IAM/latest/UserGuide/id_roles.md
@@ -118 +118 @@ For information about which services support using service-linked roles, see [AW
-Role chaining is when you use a role to assume a second role through the AWS CLI or API. For example, `RoleA` has permission to assume `RoleB`. You can enable User1 to assume `RoleA` by using their long-term user credentials in the AssumeRole API operation. This returns `RoleA` short-term credentials. With role chaining, you can use `RoleA`'s short-term credentials to enable User1 to assume `RoleB`.
+Role chaining is when you use a role to assume a second role. You can perform role chaining through the AWS Management Console by switching roles, the AWS CLI, or API. For example, `RoleA` has permission to assume `RoleB`. You can enable User1 to assume `RoleA` by using their long-term user credentials in the AssumeRole API operation. This returns `RoleA` short-term credentials. With role chaining, you can use `RoleA`'s short-term credentials to enable User1 to assume `RoleB`.
@@ -122 +122,3 @@ When you assume a role, you can pass a session tag and set the tag as transitive
-Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour. When you use the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operation to assume a role, you can specify the duration of your role session with the `DurationSeconds` parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the [maximum session duration setting](./id_roles_update-role-settings.html#id_roles_update-session-duration) for your role. However, if you assume a role using role chaining and provide a `DurationSeconds` parameter value greater than one hour, the operation fails.
+Role chaining limits your AWS Management Console, AWS CLI or AWS API role session to a maximum of one hour. It applies regardless of the maximum session duration configured for individual roles. When you use the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operation to assume a role, you can specify the duration of your role session with the `DurationSeconds` parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the [maximum session duration setting](./id_roles_update-role-settings.html#id_roles_update-session-duration) for your role. However, if you assume a role using role chaining and provide a `DurationSeconds` parameter value greater than one hour, the operation fails.
+
+For information about switching to a role in the AWS Management Console, see [Switch from a user to an IAM role (console)](./id_roles_use_switch-role-console.html).