AWS Security ChangesHomeSearch

AWS singlesignon medium security documentation change

Service: singlesignon · 2025-11-10 · Security-related medium

File: singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.md

Summary

Added documentation about member account access limitations, new Group attributes (CreatedAt/CreatedBy/UpdatedAt/UpdatedBy), and KMS-related error reason explanations

Security assessment

Added explicit documentation about limiting access from member accounts and KMS-related error reasons. The KMS error clarifications indicate improved security logging around encryption key access failures, which helps troubleshoot permission issues with Customer Managed Keys.

Diff

diff --git a/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.md b/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.md
index 0a60f3d95..3a399f9ac 100644
--- a//singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.md
+++ b//singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.md
@@ -8,0 +9,6 @@ Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSe
+Lists all groups in the identity store. Returns a paginated list of complete `Group` objects. Filtering for a `Group` by the `DisplayName` attribute is deprecated. Instead, use the `GetGroupId` API action.
+
+###### Note
+
+If you have access to a member account, you can use this API operation from the member account. For more information, see [Limiting access to the identity store from member accounts](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html#limiting-access-from-member-accounts) in the _AWS IAM Identity Center User Guide_.
+
@@ -85,0 +92,2 @@ Required: No
+             "[CreatedAt](./API_Group.html#singlesignon-Type-Group-CreatedAt)": **_number_** ,
+             "[CreatedBy](./API_Group.html#singlesignon-Type-Group-CreatedBy)": "**_string_** ",
@@ -95 +103,3 @@ Required: No
-             "[IdentityStoreId](./API_Group.html#singlesignon-Type-Group-IdentityStoreId)": "**_string_** "
+             "[IdentityStoreId](./API_Group.html#singlesignon-Type-Group-IdentityStoreId)": "**_string_** ",
+             "[UpdatedAt](./API_Group.html#singlesignon-Type-Group-UpdatedAt)": **_number_** ,
+             "[UpdatedBy](./API_Group.html#singlesignon-Type-Group-UpdatedBy)": "**_string_** "
@@ -117 +127 @@ Type: Array of [Group](./API_Group.html) objects
-The pagination token used for the `ListUsers` and `ListGroups` API operations. This value is generated by the identity store service. It is returned in the API response if the total results are more than the size of one page. This token is also returned when it1 is used in the API request to search for the next page.
+The pagination token used for the `ListUsers` and `ListGroups` API operations. This value is generated by the identity store service. It is returned in the API response if the total results are more than the size of one page. This token is also returned when it is used in the API request to search for the next page.
@@ -133,0 +144,5 @@ You do not have sufficient access to perform this action.
+**Reason**
+    
+
+Indicates the reason for an access denial when returned by KMS while accessing a Customer Managed KMS key. For non-KMS access-denied errors, this field is not included.
+
@@ -162,0 +178,5 @@ Indicates that a requested resource is not found.
+**Reason**
+    
+
+Indicates the reason for a resource not found error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included.
+
@@ -184,0 +205,5 @@ Indicates that the principal has crossed the throttling limits of the API operat
+**Reason**
+    
+
+Indicates the reason for the throttling error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included.
+
@@ -201,0 +227,5 @@ The request failed because it contains a syntax error.
+**Reason**
+    
+
+Indicates the reason for the validation error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included.
+