AWS Security ChangesHomeSearch

AWS singlesignon high security documentation change

Service: singlesignon · 2026-06-04 · Security-related high

File: singlesignon/latest/userguide/authconcept.md

Summary

Updated session revocation timings for permission changes from 1-2 hours to 30 minutes

Security assessment

The change significantly reduces the time window for permission revocation (from 1-2 hours to 30 minutes/real-time), directly impacting security posture by limiting exposure after access removal. It documents improved security controls for session management.

Diff

diff --git a/singlesignon/latest/userguide/authconcept.md b/singlesignon/latest/userguide/authconcept.md
index 492ff581f..ded85a4fa 100644
--- a//singlesignon/latest/userguide/authconcept.md
+++ b//singlesignon/latest/userguide/authconcept.md
@@ -88,3 +88,3 @@ Action | User loses IAM Identity Center access  | User can't create new applicat
-Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set.  
-User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Within 1 hour | Within 2 hours | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set.  
-Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 1 hour | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set.  
+Application or AWS account access removed from user | No - User can continue accessing IAM Identity Center | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set.  
+User removed from group that had an assigned application or AWS account | No - User can continue accessing IAM Identity Center | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set.  
+Application or AWS account access removed from group | No - User can continue accessing IAM Identity Center | Effective immediately | Within 30 minutes | Within 12 hours or less. Duration depends on IAM role session expiry duration configured for the permission set.  
@@ -94 +94 @@ Application or AWS account access removed from group | No - User can continue ac
-The AWS access portal and AWS CLI will reflect updated user permissions within 1 hour after you add or remove a user from that group. 
+The AWS access portal and AWS CLI will reflect updated user permissions immediately after you add or remove a user from that group. If you use an external identity provider, changes take effect after your provider syncs the update to IAM Identity Center. 
@@ -98 +98 @@ The AWS access portal and AWS CLI will reflect updated user permissions within 1
-  * Effective immediately – Actions that require immediate re-authentication.
+  * Effective immediately – IAM Identity Center evaluates group membership and permission changes in real time. The next time a user attempts to create a new session, the change is enforced.
@@ -100 +100 @@ The AWS access portal and AWS CLI will reflect updated user permissions within 1
-  * Within 30 minutes - 2 hours – Application sessions need time to check with IAM Identity Center and discover any changes.
+  * Within 30 minutes – Existing application sessions end at their next refresh attempt, typically within 30 minutes.