AWS Security ChangesHomeSearch

AWS singlesignon medium security documentation change

Service: singlesignon · 2025-11-10 · Security-related medium

File: singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.md

Summary

Added member account access notes, new User attributes (Birthdate/Photos/UserStatus/Website), and KMS error reason documentation

Security assessment

Includes security-related documentation about access control boundaries for member accounts and adds KMS-specific error reasons. The Photos attribute with storage of image URLs and new audit fields (CreatedAt/UpdatedBy) improve security visibility. KMS error details help identify encryption-related permission issues.

Diff

diff --git a/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.md b/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.md
index c3340785d..ce58d60b4 100644
--- a//singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.md
+++ b//singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.md
@@ -8,0 +9,6 @@ Request SyntaxRequest ParametersResponse SyntaxResponse ElementsErrorsExamplesSe
+Lists all users in the identity store. Returns a paginated list of complete `User` objects. Filtering for a `User` by the `UserName` attribute is deprecated. Instead, use the `GetUserId` API action.
+
+###### Note
+
+If you have access to a member account, you can use this API operation from the member account. For more information, see [Limiting access to the identity store from member accounts](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html#limiting-access-from-member-accounts) in the _AWS IAM Identity Center User Guide_.
+
@@ -98,0 +105,3 @@ Required: No
+             "[Birthdate](./API_User.html#singlesignon-Type-User-Birthdate)": "**_string_** ",
+             "[CreatedAt](./API_User.html#singlesignon-Type-User-CreatedAt)": **_number_** ,
+             "[CreatedBy](./API_User.html#singlesignon-Type-User-CreatedBy)": "**_string_** ",
@@ -130,0 +140,8 @@ Required: No
+             "[Photos](./API_User.html#singlesignon-Type-User-Photos)": [ 
+                { 
+                   "[Display](./API_Photo.html#singlesignon-Type-Photo-Display)": "**_string_** ",
+                   "[Primary](./API_Photo.html#singlesignon-Type-Photo-Primary)": **_boolean_** ,
+                   "[Type](./API_Photo.html#singlesignon-Type-Photo-Type)": "**_string_** ",
+                   "[Value](./API_Photo.html#singlesignon-Type-Photo-Value)": "**_string_** "
+                }
+             ],
@@ -134,0 +152,2 @@ Required: No
+             "[UpdatedAt](./API_User.html#singlesignon-Type-User-UpdatedAt)": **_number_** ,
+             "[UpdatedBy](./API_User.html#singlesignon-Type-User-UpdatedBy)": "**_string_** ",
@@ -137 +156,3 @@ Required: No
-             "[UserType](./API_User.html#singlesignon-Type-User-UserType)": "**_string_** "
+             "[UserStatus](./API_User.html#singlesignon-Type-User-UserStatus)": "**_string_** ",
+             "[UserType](./API_User.html#singlesignon-Type-User-UserType)": "**_string_** ",
+             "[Website](./API_User.html#singlesignon-Type-User-Website)": "**_string_** "
@@ -174,0 +196,5 @@ You do not have sufficient access to perform this action.
+**Reason**
+    
+
+Indicates the reason for an access denial when returned by KMS while accessing a Customer Managed KMS key. For non-KMS access-denied errors, this field is not included.
+
@@ -203,0 +230,5 @@ Indicates that a requested resource is not found.
+**Reason**
+    
+
+Indicates the reason for a resource not found error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included.
+
@@ -225,0 +257,5 @@ Indicates that the principal has crossed the throttling limits of the API operat
+**Reason**
+    
+
+Indicates the reason for the throttling error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included.
+
@@ -242,0 +279,5 @@ The request failed because it contains a syntax error.
+**Reason**
+    
+
+Indicates the reason for the validation error when the service is unable to access a Customer Managed KMS key. For non-KMS permission errors, this field is not included.
+