AWS Security ChangesHomeSearch

AWS transform medium security documentation change

Service: transform · 2026-03-22 · Security-related medium

File: transform/latest/userguide/transform-user-connectors.md

Summary

Added documentation for user traceability features requiring IAM Identity Center integration and trust policy updates

Security assessment

Introduces user-level attribution for security auditing through CloudTrail logs and requires explicit IAM role permissions (sts:SetContext). This directly enhances security visibility by tying actions to individual users rather than service identities.

Diff

diff --git a/transform/latest/userguide/transform-user-connectors.md b/transform/latest/userguide/transform-user-connectors.md
index 9801fd4ac..c186b6557 100644
--- a//transform/latest/userguide/transform-user-connectors.md
+++ b//transform/latest/userguide/transform-user-connectors.md
@@ -5 +5 @@
-Managing connectors
+User traceability for agentic operationsManaging connectors
@@ -35,0 +36,31 @@ Connectors require requests for access from the _source connector_ , and approva
+## User traceability for agentic operations
+
+By default, AWS CloudTrail records agent actions on your AWS resources under the AWS Transform service identity. User traceability attributes those actions to the specific AWS IAM Identity Center user who initiated or interacted with the job, enabling security auditing and incident investigation at the individual-user level.
+
+###### Note
+
+User traceability is supported for IAM Identity Center (IDC) users only.
+
+To enable user traceability, enable **Background session** in your AWS Transform profile settings. When enabled, AWS Transform automatically creates an IAM Identity Center [background session](https://docs.aws.amazon.com/singlesignon/latest/userguide/user-background-sessions.html) when you interact with a job and uses it to produce identity-enhanced IAM role sessions for connector operations. These sessions embed your user identity in downstream AWS service calls and AWS CloudTrail events. When background sessions are disabled, AWS Transform falls back to standard assumed-role sessions without user identity context.
+
+New connectors are automatically configured to support user traceability. For existing connectors, you must manually add `sts:SetContext` to the connector role's trust policy:
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": { "Service": ["transform.amazonaws.com"] },
+          "Action": ["sts:AssumeRole", "sts:SetContext"],
+          "Condition": {
+            "StringEquals": { "aws:SourceAccount": "your-account-id" }
+          }
+        }
+      ]
+    }
+
+You can view and revoke your active background sessions from the **Background sessions** tab on the job page. Revoking a session immediately invalidates it and any connector sessions derived from it.
+
+For more information, see [Trusted identity propagation overview](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html) in the _AWS IAM Identity Center User Guide_.
+