AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-10-16 · Documentation medium

File: singlesignon/latest/userguide/authconcept-revoke-access.md

Summary

Rewrote content to focus on Service Control Policies (SCPs) for access denial, including example policy and implementation guidance.

Security assessment

Enhances documentation about using SCPs as a security control mechanism but does not address a specific vulnerability. Provides security best practice guidance for access revocation.

Diff

diff --git a/singlesignon/latest/userguide/authconcept-revoke-access.md b/singlesignon/latest/userguide/authconcept-revoke-access.md
index 784b350e2..0cba7cfbb 100644
--- a//singlesignon/latest/userguide/authconcept-revoke-access.md
+++ b//singlesignon/latest/userguide/authconcept-revoke-access.md
@@ -5 +5 @@
-# Revoke access for deleted users
+# Deny user access with Service Control Policies
@@ -7 +7 @@
-To immediately revoke access to make authorized API calls when an IAM Identity Center user is either disabled or deleted, you can:
+To immediately deny access to make authorized API calls when an IAM Identity Center user's access is disabled or the user is deleted, you can:
@@ -9 +9 @@ To immediately revoke access to make authorized API calls when an IAM Identity C
-  1. Add or update the inline policy of the permission set(s) assigned to the user by adding an explicit `Deny` effect for all actions on all resources.
+  1. [Add or update](./howtoviewandchangepermissionset.html) the [inline policy](./permissionsetcustom.html#permissionsetsinlineconcept) of the permission set(s) assigned to the user by adding an explicit `Deny` effect for all actions on all resources.
@@ -16 +16 @@ To immediately revoke access to make authorized API calls when an IAM Identity C
-Alternatively, you can use a [Service Control Policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to revoke the user's access across all member accounts in your organization.
+Alternatively, you can use a [Service Control Policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to deny the user's access across all member accounts in your organization.
@@ -18 +18,3 @@ Alternatively, you can use a [Service Control Policy](https://docs.aws.amazon.co
-###### Example SCPs to revoke access
+###### Example SCP to deny access
+
+This denial policy blocks all AWS actions for a specific user, regardless of other permissions they might have been granted elsewhere. This policy overrides any `Allow` policies.
@@ -74 +76 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Authentication in IAM Identity Center
+Disable user access
@@ -76 +78 @@ Authentication in IAM Identity Center
-Connect workforce users
+Managing access for users in the Identity Center directory