AWS singlesignon medium security documentation change
Summary
Added note about member account access, new user attributes (Birthdate, CreatedAt, CreatedBy, Photos, UpdatedAt, UpdatedBy, UserStatus, Website), and KMS-related error reason fields
Security assessment
Added documentation about KMS access denial reasons in error responses and member account access limitations. These changes clarify security controls around encryption key access and cross-account permissions. The KMS-related error details indicate security implications for Customer Managed Key access failures.
Diff
diff --git a/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.md b/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.md index 26280ea67..f02db980f 100644 --- a//singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.md +++ b//singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.md @@ -8,0 +9,6 @@ Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSe +Retrieves the user metadata and attributes from the `UserId` in an identity store. + +###### Note + +If you have access to a member account, you can use this API operation from the member account. For more information, see [Limiting access to the identity store from member accounts](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html#limiting-access-from-member-accounts) in the _AWS IAM Identity Center User Guide_. + @@ -64,0 +71,3 @@ Required: Yes + "Birthdate": "**_string_** ", + "CreatedAt": **_number_** , + "CreatedBy": "**_string_** ", @@ -96,0 +106,8 @@ Required: Yes + "Photos": [ + { + "[Display](./API_Photo.html#singlesignon-Type-Photo-Display)": "**_string_** ", + "[Primary](./API_Photo.html#singlesignon-Type-Photo-Primary)": **_boolean_** , + "[Type](./API_Photo.html#singlesignon-Type-Photo-Type)": "**_string_** ", + "[Value](./API_Photo.html#singlesignon-Type-Photo-Value)": "**_string_** " + } + ], @@ -100,0 +118,2 @@ Required: Yes + "UpdatedAt": **_number_** , + "UpdatedBy": "**_string_** ", @@ -103 +122,3 @@ Required: Yes - "UserType": "**_string_** " + "UserStatus": "**_string_** ", + "UserType": "**_string_** ", + "Website": "**_string_** " @@ -120,0 +142,25 @@ Array Members: Fixed number of 1 item. +**Birthdate ** + + +The user's birthdate in YYYY-MM-DD format. This field returns the stored birthdate information for the user. + +Type: String + +Length Constraints: Minimum length of 1. Maximum length of 1024. + +Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+` + +**CreatedAt ** + + +The date and time the user was created. + +Type: Timestamp + +**CreatedBy ** + + +The identifier of the user or system that created the user. + +Type: String + @@ -198,0 +245,9 @@ Array Members: Fixed number of 1 item. +**Photos ** + + +A list of photos associated with the user. Returns up to 3 photos with their associated metadata including type, display name, and primary designation. + +Type: Array of [Photo](./API_Photo.html) objects + +Array Members: Minimum number of 1 item. Maximum number of 3 items. + @@ -242,0 +298,14 @@ Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+` +**UpdatedAt ** + + +The date and time the user was last updated. + +Type: Timestamp + +**UpdatedBy ** + + +The identifier of the user or system that last updated the user. + +Type: String + @@ -264,0 +334,9 @@ Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+` +**UserStatus ** + + +The current status of the user account. + +Type: String + +Valid Values: `ENABLED | DISABLED` + @@ -275,0 +354,11 @@ Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+` +**Website ** + + +The user's personal website or blog URL. Returns the stored website information for the user. + +Type: String + +Length Constraints: Minimum length of 1. Maximum length of 1024. + +Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+` + @@ -284,0 +374,5 @@ You do not have sufficient access to perform this action. +**Reason** + + +Indicates the reason for an access denial when returned by KMS while accessing a Customer Managed KMS key. For non-KMS access-denied errors, this field is not included. + @@ -313,0 +408,5 @@ Indicates that a requested resource is not found. +**Reason** + + +Indicates the reason for a resource not found error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included. + @@ -335,0 +435,5 @@ Indicates that the principal has crossed the throttling limits of the API operat +**Reason** + + +Indicates the reason for the throttling error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included. + @@ -352,0 +457,5 @@ The request failed because it contains a syntax error. +**Reason** + + +Indicates the reason for the validation error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included. +