AWS Security ChangesHomeSearch

AWS IAM medium security documentation change

Service: IAM · 2025-08-25 · Security-related medium

File: IAM/latest/UserGuide/id_roles_use_switch-role-console.md

Summary

Added explicit documentation about 1-hour session limit for role chaining across console/CLI/API operations

Security assessment

The added paragraph specifically documents a security control limiting role-chained sessions to 1 hour regardless of role settings. This prevents extended privilege escalation through role chaining, directly addressing session management security concerns.

Diff

diff --git a/IAM/latest/UserGuide/id_roles_use_switch-role-console.md b/IAM/latest/UserGuide/id_roles_use_switch-role-console.md
index cc4d14a45..b72aa18f7 100644
--- a//IAM/latest/UserGuide/id_roles_use_switch-role-console.md
+++ b//IAM/latest/UserGuide/id_roles_use_switch-role-console.md
@@ -21 +21,3 @@ When you sign in as a user in IAM Identity Center, as a SAML-federated role, or
-When you switch roles, your AWS Management Console session lasts for 1 hour by default. IAM user sessions are 12 hours by default, other users might have different session durations defined. When you switch roles in the console you are granted the role maximum session duration, or the remaining time in your user session, whichever is less. You can't extend your session duration by assuming a role. For example, assume that a maximum session duration of 10 hours is set for a role. You have been signed in to the console for 8 hours when you decide to switch to the role. There are 4 hours remaining in your user session, so the allowed role session duration is 4 hours, not the maximum session duration of 10 hours. The following table shows how to determine the session duration for an IAM user when switching roles in the console.
+When you switch roles, your AWS Management Console session lasts for 1 hour by default. IAM user sessions are 12 hours by default, other users might have different session durations defined. When you switch roles in the console, you are granted the role maximum session duration, or the remaining time in your user session, whichever is less. You can't extend your session duration by assuming a role.
+
+For example, assume that a maximum session duration of 10 hours is set for a role. You have been signed in to the console for 8 hours when you decide to switch to the role. There are 4 hours remaining in your user session, so the allowed role session duration is 4 hours, not the maximum session duration of 10 hours. The following table shows how to determine the session duration for an IAM user when switching roles in the console.
@@ -28,0 +31,2 @@ Equal to role maximum session duration | Maximum session duration value (approxi
+Using the credentials from one role to assume a different role is called [role chaining](./id_roles.html#iam-term-role-chaining). When you use role chaining, the session duration is limited to one hour, regardless of the maximum session duration setting configured for individual roles. This applies to AWS Management Console role switching, AWS CLI, and API operations.
+