AWS Security ChangesHomeSearch

AWS singlesignon high security documentation change

Service: singlesignon · 2025-10-16 · Security-related high

File: singlesignon/latest/userguide/cmk-related-errors.md

Summary

Added documentation about AWS access portal login failures related to customer managed KMS keys and updated terminology consistency ('customer-managed' to 'customer managed')

Security assessment

The change adds documentation about login failures when using customer-managed KMS keys, specifically addressing required KMS key policy permissions. This directly relates to access control and encryption configuration security aspects. The added section explains security implications of misconfigured KMS permissions blocking portal access.

Diff

diff --git a/singlesignon/latest/userguide/cmk-related-errors.md b/singlesignon/latest/userguide/cmk-related-errors.md
index 4d828ce4c..d710a947d 100644
--- a//singlesignon/latest/userguide/cmk-related-errors.md
+++ b//singlesignon/latest/userguide/cmk-related-errors.md
@@ -5 +5 @@
-Access Denied: KMS Decrypt Permission IssueAWS managed application login failures with a customer-managed KMS key enabled in IAM Identity CenterAWS managed application installation and/or user assignment failures with a customer managed KMS key enabled in IAM Identity CenterKMS Permissions Issue: Configuring Customer Managed Key with AWS IAM Identity Center
+Access Denied: KMS Decrypt Permission IssueAWS managed application login failures with a customer managed KMS key enabled in IAM Identity CenterAWS managed application installation and/or user assignment failures with a customer managed KMS key enabled in IAM Identity CenterKMS Permissions Issue: Configuring Customer Managed Key with AWS IAM Identity CenterAWS access portal login failures with a customer managed KMS key enabled in IAM Identity Center
@@ -32 +32 @@ To resolve this issue, grant the user or IAM principal `kms:Decrypt` access perm
-## AWS managed application login failures with a customer-managed KMS key enabled in IAM Identity Center
+## AWS managed application login failures with a customer managed KMS key enabled in IAM Identity Center
@@ -34 +34 @@ To resolve this issue, grant the user or IAM principal `kms:Decrypt` access perm
-If no Identity Center users can log into AWS managed applications and you have a customer-managed KMS key enabled in your IAM Identity Center instance, verify that the KMS key policy grants the AWS managed applications permissions to use the customer managed KMS key. For more information, see [Baseline KMS key and IAM policy statements](./baseline-KMS-key-policy.html).
+If no Identity Center users can log into AWS managed applications and you have a customer managed KMS key enabled in your IAM Identity Center instance, verify that the KMS key policy grants the AWS managed applications permissions to use the customer managed KMS key. For more information, see [Baseline KMS key and IAM policy statements](./baseline-KMS-key-policy.html).
@@ -71,0 +72,6 @@ To resolve this issue, grant all required KMS permissions to the user or IAM pri
+## AWS access portal login failures with a customer managed KMS key enabled in IAM Identity Center
+
+**Error:** "ERROR Code: 0001 - IdentityCenter service access is blocked. Reach out to your IdentityCenter admin for further steps."
+
+If users cannot log in to the AWS access portal and you have a customer managed KMS key enabled in your IAM Identity Center instance, verify that the KMS key policy grants the necessary permissions to Identity Center and Identity Store. For more information, see [Baseline KMS key and IAM policy statements](./baseline-KMS-key-policy.html).
+