AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-10-28 · Documentation low

File: IAM/latest/UserGuide/id_credentials_temp_enable-regions.md

Summary

Clarified requirements for activating AWS STS endpoints in manually enabled Regions, updated example Region, and added documentation link.

Security assessment

The changes clarify configuration steps for Regional STS endpoints but do not address a specific security vulnerability or weakness. The updates improve accuracy without introducing or mitigating security risks.

Diff

diff --git a/IAM/latest/UserGuide/id_credentials_temp_enable-regions.md b/IAM/latest/UserGuide/id_credentials_temp_enable-regions.md
index 9179fb2e5..894f0de32 100644
--- a//IAM/latest/UserGuide/id_credentials_temp_enable-regions.md
+++ b//IAM/latest/UserGuide/id_credentials_temp_enable-regions.md
@@ -39 +39 @@ AWS has made changes to the AWS Security Token Service (AWS STS) global endpoint
-When you activate STS endpoints for a Region, AWS STS can issue temporary credentials to users and roles in your account that make an AWS STS request. Those credentials can then be used in any Region that is enabled by default or is manually enabled. For Regions that are enabled by default, you must activate the Regional STS endpoint in the account where the temporary credentials are generated. It does not matter whether a user is signed into the same account or a different account when they make the request. For Regions that are manually enabled, you must activate the Region in both the account making the request and the account where the temporary credentials are generated.
+When you activate AWS STS endpoints for a Region, AWS STS can issue temporary credentials to users and roles in your account that make an AWS STS request. Those credentials can then be used in any Region that is enabled by default or is manually enabled. For Regions that are enabled by default, you must activate the Regional AWS STS endpoint in the account where the temporary credentials are generated. It does not matter whether a user is signed into the same account or a different account when they make the request. When requesting temporary credentials for a role in another AWS account using a Region that is manually enabled, the target account (the account containing the role) must enable that Region for AWS STS operations. This ensures that the temporary security credentials can be generated correctly.
@@ -41 +41 @@ When you activate STS endpoints for a Region, AWS STS can issue temporary creden
-For example, imagine a user in account A wants to send an `sts:AssumeRole` API request to the AWS STS Regional endpoint `https://sts.us-west-2.amazonaws.com`. The request is for temporary credentials for the role named `Developer` in account B. Because the request is to create credentials for an entity in account B, account B must activate the `us-west-2` Region. Users from account A (or any other account) can call the `us-west-2` AWS STS endpoint to request credentials for account B whether or not the Region is activated in their accounts.
+For example, imagine a user in account A wants to send an `sts:AssumeRole` API request to the [AWS STS Regional endpoint](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_region-endpoints.html) `https://sts.ap-southeast-3.amazonaws.com`. The request is for temporary credentials for the role named `Developer` in account B. Because the request is to create credentials for an entity in account B, account B must have the `ap-southeast-3` Region enabled. Users from account A (or any other account) can call the `ap-southeast-3` AWS STS endpoint to request credentials for account B whether or not the Region is activated in their accounts. To learn more, see [Enable or disable AWS Regions in your account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html).