AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-12-07 · Documentation low

File: IAM/latest/UserGuide/id_roles_providers_outbound_token_claims.md

Summary

Added hyperlinks to condition key documentation in JWT claims mapping table

Security assessment

The changes improve documentation by linking security-related claims (like principal tags, organization IDs, and instance metadata) to their corresponding condition keys. While these claims relate to security attributes, the modifications are purely documentation improvements rather than addressing specific vulnerabilities or adding new security features.

Diff

diff --git a/IAM/latest/UserGuide/id_roles_providers_outbound_token_claims.md b/IAM/latest/UserGuide/id_roles_providers_outbound_token_claims.md
index 2ed1a2dbf..ddfd8d1f3 100644
--- a//IAM/latest/UserGuide/id_roles_providers_outbound_token_claims.md
+++ b//IAM/latest/UserGuide/id_roles_providers_outbound_token_claims.md
@@ -65,5 +65,5 @@ Claim | Description | Maps to Condition Key | Example Value
-aws_account | Your AWS account ID | aws:PrincipalAccount | 123456789012  
-source_region | The AWS region where the token was requested | aws:RequestedRegion | us-east-1  
-org_id | Your AWS Organizations ID (if your account is part of an organization) | aws:PrincipalOrgID | o-abc1234567  
-ou_path | Your organizational unit path (if applicable) | aws:PrincipalOrgPaths | o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/  
-principal_tags | Tags attached to the IAM principal or assumed role session. When a token is requested where the requesting IAM principal has both principal tags and session tags, the session tags will be present in the JWT. | aws:PrincipalTag/<tag-key> | {"environment": "production", "team": "data-engineering", "cost-center":"engineering"}  
+aws_account | Your AWS account ID | [aws:PrincipalAccount](./reference_policies_condition-keys.html#condition-keys-principalaccount) | 123456789012  
+source_region | The AWS region where the token was requested | [aws:RequestedRegion](./reference_policies_condition-keys.html#condition-keys-requestedregion) | us-east-1  
+org_id | Your AWS Organizations ID (if your account is part of an organization) | [aws:PrincipalOrgID](./reference_policies_condition-keys.html#condition-keys-principalorgid) | o-abc1234567  
+ou_path | Your organizational unit path (if applicable) | [aws:PrincipalOrgPaths](./reference_policies_condition-keys.html#condition-keys-principalorgpaths) | o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/  
+principal_tags | Tags attached to the IAM principal or assumed role session. When a token is requested where the requesting IAM principal has both principal tags and session tags, the session tags will be present in the JWT. | [aws:PrincipalTag/<tag-key>](./reference_policies_condition-keys.html#condition-keys-principaltag) | {"environment": "production", "team": "data-engineering", "cost-center":"engineering"}  
@@ -78,10 +78,10 @@ original_session_exp | When the original role session credentials will expire (f
-federated_provider | The identity provider name for federated sessions | aws:FederatedProvider | arn:aws:iam::111122223333:oidc-provider/your_oidc_provider  
-identity_store_user_id | IAM Identity Center user ID | identitystore:UserId | user-abc123def456  
-identity_store_arn | ARN of the Identity Center identity store | identitystore:IdentityStoreArn | arn:aws:identitystore::123456789012:identitystore/d-abc1234567  
-ec2_source_instance_arn | ARN of the requesting EC2 instance | ec2:SourceInstanceArn | arn:aws:ec2:us-east-1:123456789012:instance/i-abc123def456  
-ec2_instance_source_vpc | VPC ID where EC2 role credentials were delivered | aws:Ec2InstanceSourceVpc | vpc-abc123def456  
-ec2_instance_source_private_ipv4 | Private IPv4 address of the EC2 instance | aws:Ec2InstanceSourcePrivateIPv4 | 10.0.1.25  
-ec2_role_delivery | Instance metadata service version | ec2:RoleDelivery | 2  
-source_identity | Source identity set by the principal | aws:SourceIdentity | admin-user  
-lambda_source_function_arn | ARN of the calling Lambda function | lambda:SourceFunctionArn | arn:aws:lambda:us-east-1:123456789012:function:my-function  
-glue_credential_issuing_service | AWS Glue service identifier for Glue jobs | glue:CredentialIssuingService | glue.amazonaws.com  
+federated_provider | The identity provider name for federated sessions | [aws:FederatedProvider](./reference_policies_condition-keys.html#condition-keys-federatedprovider) | arn:aws:iam::111122223333:oidc-provider/your_oidc_provider  
+identity_store_user_id | IAM Identity Center user ID | [identitystore:UserId](./reference_policies_condition-keys.html#condition-keys-identity-store-user-id) | user-abc123def456  
+identity_store_arn | ARN of the Identity Center identity store | [identitystore:IdentityStoreArn](https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-arn) | arn:aws:identitystore::123456789012:identitystore/d-abc1234567  
+ec2_source_instance_arn | ARN of the requesting EC2 instance | [ec2:SourceInstanceArn](./reference_policies_condition-keys.html#condition-keys-ec2-source-instance-arn) | arn:aws:ec2:us-east-1:123456789012:instance/i-abc123def456  
+ec2_instance_source_vpc | VPC ID where EC2 role credentials were delivered | [aws:Ec2InstanceSourceVpc](./reference_policies_condition-keys.html#condition-keys-ec2instancesourcevpc) | vpc-abc123def456  
+ec2_instance_source_private_ipv4 | Private IPv4 address of the EC2 instance | [aws:Ec2InstanceSourcePrivateIPv4](./reference_policies_condition-keys.html#condition-keys-ec2instancesourceprivateip4) | 10.0.1.25  
+ec2_role_delivery | Instance metadata service version | [ec2:RoleDelivery](./reference_policies_condition-keys.html#condition-keys-ec2-role-delivery) | 2  
+source_identity | Source identity set by the principal | [aws:SourceIdentity](./reference_policies_condition-keys.html#condition-keys-sourceidentity) | admin-user  
+lambda_source_function_arn | ARN of the calling Lambda function | [lambda:SourceFunctionArn](./reference_policies_condition-keys.html#condition-keys-lambda-source-function-arn) | arn:aws:lambda:us-east-1:123456789012:function:my-function  
+glue_credential_issuing_service | AWS Glue service identifier for Glue jobs | [glue:CredentialIssuingService](./reference_policies_condition-keys.html#condition-keys-glue-credential-issuing) | glue.amazonaws.com