AWS singlesignon high security documentation change
Summary
Updated session revocation timings for permission changes from 1-2 hours to 30 minutes
Security assessment
The change significantly reduces the time window for permission revocation (from 1-2 hours to 30 minutes/real-time), directly impacting security posture by limiting exposure after access removal. It documents improved security controls for session management.
Diff
diff --git a/singlesignon/latest/userguide/authconcept.md b/singlesignon/latest/userguide/authconcept.md index 492ff581f..ded85a4fa 100644 --- a//singlesignon/latest/userguide/authconcept.md +++ b//singlesignon/latest/userguide/authconcept.md @@ -88,3 +88,3 @@ Action | User loses IAM Identity Center access | User can't create new applicat -Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. -User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Within 1 hour | Within 2 hours | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. -Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. +Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set. @@ -94 +94 @@ Application or AWS account access removed from group | No - User can continue ac -The AWS access portal and AWS CLI will reflect updated user permissions within 1 hour after you add or remove a user from that group. +The AWS access portal and AWS CLI will reflect updated user permissions immediately after you add or remove a user from that group. If you use an external identity provider, changes take effect after your provider syncs the update to IAM Identity Center. @@ -98 +98 @@ The AWS access portal and AWS CLI will reflect updated user permissions within 1 - * Effective immediately – Actions that require immediate re-authentication. + * Effective immediately – IAM Identity Center evaluates group membership and permission changes in real time. The next time a user attempts to create a new session, the change is enforced. @@ -100 +100 @@ The AWS access portal and AWS CLI will reflect updated user permissions within 1 - * Within 30 minutes - 2 hours – Application sessions need time to check with IAM Identity Center and discover any changes. + * Within 30 minutes – Existing application sessions end at their next refresh attempt, typically within 30 minutes.