AWS Security ChangesHomeSearch

AWS singlesignon medium security documentation change

Service: singlesignon · 2025-08-28 · Security-related medium

File: singlesignon/latest/userguide/using-service-linked-roles.md

Summary

Removed detailed IAM policy JSON for AWSSSOServiceRolePolicy including permissions for role management, SAML provider operations, and directory service access

Security assessment

The removed content included critical IAM permissions governing service-linked role operations. Removing security-relevant policy documentation could impact users' ability to properly configure secure access controls. The policy contained security-sensitive actions like iam:PutRolePermissionsBoundary and iam:DeleteServiceLinkedRole.

Diff

diff --git a/singlesignon/latest/userguide/using-service-linked-roles.md b/singlesignon/latest/userguide/using-service-linked-roles.md
index f321460e8..1aac5f6ed 100644
--- a//singlesignon/latest/userguide/using-service-linked-roles.md
+++ b//singlesignon/latest/userguide/using-service-linked-roles.md
@@ -106,167 +105,0 @@ For more information on updates to the AWSSSOServiceRolePolicy service-linked ro
-JSON
-    
-
-****
-    
-    
-    
-    {
-       "Version":"2012-10-17",
-       "Statement":[
-          {
-             "Sid":"IAMRoleProvisioningActions",
-             "Effect":"Allow",
-             "Action":[
-                "iam:AttachRolePolicy",
-                "iam:CreateRole",
-                "iam:DeleteRolePermissionsBoundary",
-                "iam:PutRolePermissionsBoundary",
-                "iam:PutRolePolicy",
-                "iam:UpdateRole",
-                "iam:UpdateRoleDescription",
-                "iam:UpdateAssumeRolePolicy"
-             ],
-             "Resource":[
-                "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
-             ],
-             "Condition":{
-                "StringNotEquals":{
-                   "aws:PrincipalOrgMasterAccountId":"${aws:PrincipalAccount}"
-                }
-             }
-          },
-          {
-             "Sid":"IAMRoleReadActions",
-             "Effect":"Allow",
-             "Action":[
-                "iam:GetRole",
-                "iam:ListRoles"
-             ],
-             "Resource":[
-                "*"
-             ]
-          },
-          {
-             "Sid":"IAMRoleCleanupActions",
-             "Effect":"Allow",
-             "Action":[
-                "iam:DeleteRole",
-                "iam:DeleteRolePolicy",
-                "iam:DetachRolePolicy",
-                "iam:ListRolePolicies",
-                "iam:ListAttachedRolePolicies"
-             ],
-             "Resource":[
-                "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
-             ]
-          },
-          {
-             "Sid":"IAMSLRCleanupActions",
-             "Effect":"Allow",
-             "Action":[
-                "iam:DeleteServiceLinkedRole",
-                "iam:GetServiceLinkedRoleDeletionStatus",
-                "iam:DeleteRole",
-                "iam:GetRole"
-             ],
-             "Resource":[
-                "arn:aws:iam::*:role/aws-service-role/sso.amazonaws.com/AWSServiceRoleForSSO"
-             ]
-          },
-          {
-            "Sid": "IAMSAMLProviderCreationAction",
-            "Effect": "Allow",
-            "Action": [
-              "iam:CreateSAMLProvider"
-          ],
-          "Resource": [
-             "arn:aws:iam::*:saml-provider/AWSSSO_*"
-           ],
-          "Condition": {
-             "StringNotEquals": {
-                "aws:PrincipalOrgMasterAccountId": "${aws:PrincipalAccount}"
-              }
-            }
-          },
-          {
-            "Sid": "IAMSAMLProviderUpdateAction",
-            "Effect": "Allow",
-            "Action": [
-              "iam:UpdateSAMLProvider"
-            ],
-            "Resource": [
-               "arn:aws:iam::*:saml-provider/AWSSSO_*"
-            ]
-          }, 
-          {
-             "Sid":"IAMSAMLProviderCleanupActions",
-             "Effect":"Allow",
-             "Action":[
-                "iam:DeleteSAMLProvider",
-                "iam:GetSAMLProvider"
-             ],
-             "Resource":[
-                "arn:aws:iam::*:saml-provider/AWSSSO_*"
-             ]
-          },
-          {
-             "Effect":"Allow",
-             "Action":[
-                "organizations:DescribeAccount",
-                "organizations:DescribeOrganization",
-                "organizations:ListAccounts",
-                "organizations:ListAWSServiceAccessForOrganization",
-                "organizations:ListDelegatedAdministrators"
-             ],
-             "Resource":[
-                "*"
-             ]
-          },
-          {
-             "Sid":"AllowUnauthAppForDirectory",
-             "Effect":"Allow",
-             "Action":[
-                "ds:UnauthorizeApplication"
-             ],
-             "Resource":[
-                "*"
-             ]
-          },
-          {
-             "Sid":"AllowDescribeForDirectory",
-             "Effect":"Allow",
-             "Action":[
-                "ds:DescribeDirectories",
-                "ds:DescribeTrusts"
-             ],
-             "Resource":[
-                "*"
-             ]
-          },
-          {
-             "Sid":"AllowDescribeAndListOperationsOnIdentitySource",
-             "Effect":"Allow",
-             "Action":[
-                "identitystore:DescribeUser",
-                "identitystore:DescribeGroup",
-                "identitystore:ListGroups",
-                "identitystore:ListUsers"
-             ],
-             "Resource":[
-                "*"
-             ]
-          },
-          {
-             "Sid":"AllowDeleteSyncProfile",
-             "Effect":"Allow",
-             "Action":[
-                "identity-sync:DeleteSyncProfile"
-             ],
-             "Resource":[
-                "arn:aws:identity-sync*:*:profile/*"
-             ]
-          }
-       ]    
-    }
-    
-