AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2026-04-19 · Documentation low

File: singlesignon/latest/userguide/configure-abac-policies.md

Summary

Added explanation that ABAC attributes are passed as session tags when federating through IAM Identity Center, and can be referenced in policies using the aws:PrincipalTag condition key across various IAM policy types.

Security assessment

This enhances documentation on using session tags for access control, which is a security feature. It provides guidance on implementing secure policies but does not indicate a security issue or vulnerability.

Diff

diff --git a/singlesignon/latest/userguide/configure-abac-policies.md b/singlesignon/latest/userguide/configure-abac-policies.md
index 612bbfb46..6fd80faf9 100644
--- a//singlesignon/latest/userguide/configure-abac-policies.md
+++ b//singlesignon/latest/userguide/configure-abac-policies.md
@@ -50,0 +51,2 @@ JSON
+When users federate into an AWS account through IAM Identity Center, the configured access control attributes are passed as session tags. You can reference these session tags in your policies using the `aws:PrincipalTag/`tag-key`` condition key. This condition key is supported in all relevant AWS IAM policy types where you can use conditions, including identity-based policies, resource-based policies, permissions boundaries, service control policies (SCPs), and VPC endpoint policies. This enables you to make fine-grained access control decisions based on user attributes across your entire AWS environment.
+