AWS cli medium security documentation change
Summary
Expanded documentation for create-delegation-request API including parameters, constraints, and partner onboarding requirements. Added security-related constraints like session duration limits, notification channel permissions, and SendTokenOnlyByOwner flag.
Security assessment
Added security controls include: 1) SessionDuration minimum reduced to 300 seconds (5 minutes) from 3600, allowing shorter-lived tokens. 2) NotificationChannel requires SNS topic ARNs with resource policies restricting access. 3) SendTokenOnlyByOwner flag prevents token sending by unauthorized parties. These changes demonstrate concrete security improvements to delegation request handling.
Diff
diff --git a/cli/latest/reference/iam/create-delegation-request.md b/cli/latest/reference/iam/create-delegation-request.md index 40dfcbef9..26a271da6 100644 --- a//cli/latest/reference/iam/create-delegation-request.md +++ b//cli/latest/reference/iam/create-delegation-request.md @@ -15 +15 @@ - * [AWS CLI 2.31.37 Command Reference](../../index.html) » + * [AWS CLI 2.31.39 Command Reference](../../index.html) » @@ -59 +59,3 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -This API is currently unavailable for general use. +Creates an IAM delegation request for temporary access delegation. + +This API is not available for general use. In order to use this API, a caller first need to go through an onboarding process described in the [partner onboarding documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-temporary-delegation-partner-guide.html) . @@ -101,0 +104,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +> The Amazon Web Services account ID this delegation request is targeted to. +> +> If the account ID is not known, this parameter can be omitted, resulting in a request that can be associated by any account. If the account ID passed, then the created delegation request can only be associated with an identity of that target account. +> @@ -109,0 +116,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +> A description of the delegation request. +> @@ -118,0 +127,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +> The permissions to be delegated in this delegation request. +> @@ -121,3 +131 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 ->> The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources. ->> ->> For more information about ARNs, go to [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the _Amazon Web Services General Reference_ . +>> This ARN maps to a pre-registered policy content for this partner. See the `partner onboarding documentation to understand how to create a delegation template. @@ -133,0 +142,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>> A list of policy parameters that define the scope and constraints of the delegated permissions. +>> @@ -141,0 +152,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>>> Contains information about a policy parameter used to customize delegated permissions. +>>> @@ -143,0 +156,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>>>> The name of the policy parameter. +>>>> @@ -147,0 +162 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>>>> * pattern: `[ -~]+` @@ -152,0 +168,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>>>> The allowed values for the policy parameter. +>>>> @@ -153,0 +171,6 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>>>> +>>>>> Constraints: +>>>>> +>>>>> * pattern: `[ -~]+` +>>>>> + @@ -156,0 +180,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/iam-20 +>>>> The data type of the policy parameter value. +>>>> @@ -181,0 +207,6 @@ JSON Syntax: +> A message explaining the reason for the delegation request. +> +> Requesters can utilize this field to add a custom note to the delegation request. This field is different from the description such that this is to be utilized for a custom messaging on a case-by-case basis. +> +> For example, if the current delegation request is in response to a previous request being rejected, this explanation can be added to the request via this field. +> @@ -190,0 +222,6 @@ JSON Syntax: +> The workflow ID associated with the requestor. +> +> This is the unique identifier on the partner side that can be used to track the progress of the request. +> +> IAM maintains a uniqueness check on this workflow id for each request - if a workflow id for an existing request is passed, this API call will fail. +> @@ -194,0 +232 @@ JSON Syntax: +> * pattern: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]+` @@ -199,0 +238,4 @@ JSON Syntax: +> The URL to redirect to after the delegation request is processed. +> +> This URL is used by the IAM console to show a link to the customer to re-load the partner workflow. +> @@ -209,0 +252,4 @@ JSON Syntax: +> The notification channel for updates about the delegation request. +> +> At this time,only SNS topic ARNs are accepted for notification. This topic ARN must have a resource policy granting `SNS:Publish` permission to the IAM service principal (`iam.amazonaws.com` ). See [partner onboarding documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-temporary-delegation-partner-guide.html) for more details. +> @@ -213,0 +260 @@ JSON Syntax: +> * pattern: `^[a-zA-Z0-9:_.-]+$` @@ -218,0 +266,4 @@ JSON Syntax: +> The duration for which the delegated session should remain active, in seconds. +> +> The active time window for the session starts when the customer calls the [SendDelegationToken](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SendDelegationToken.html) API. +> @@ -221 +272 @@ JSON Syntax: -> * min: `3600` +> * min: `300` @@ -227,0 +279,4 @@ JSON Syntax: +> Specifies whether the delegation token should only be sent by the owner. +> +> This flag prevents any party other than the owner from calling `SendDelegationToken` API for this delegation request. This behavior becomes useful when the delegation request owner needs to be present for subsequent partner interactions, but the delegation request was sent to a more privileged user for approval due to the owner lacking sufficient delegation permissions. + @@ -328,0 +384,4 @@ ConsoleDeepLink -> (string) +> A deep link URL to the Amazon Web Services Management Console for managing the delegation request. +> +> For a console based workflow, partners should redirect the customer to this URL. If the customer is not logged in to any Amazon Web Services account, the Amazon Web Services workflow will automatically direct the customer to log in and then display the delegation request approval page. +> @@ -337,0 +397,2 @@ DelegationRequestId -> (string) +> The unique identifier for the created delegation request. +> @@ -356 +417 @@ DelegationRequestId -> (string) - * [AWS CLI 2.31.37 Command Reference](../../index.html) » + * [AWS CLI 2.31.39 Command Reference](../../index.html) »