AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2026-07-10 · Documentation low

File: IAM/latest/UserGuide/reference_policies_condition-keys.md

Summary

Added new condition key 'aws:SignInSessionArn' for OAuth-based sessions with documentation on usage, availability, and example policy

Security assessment

Introduces a new security-related condition key for session tracking but lacks evidence of addressing a specific vulnerability. Enhances security documentation by enabling session-based access control policies.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md
index 5031ddf5b..d8f76acdf 100644
--- a//IAM/latest/UserGuide/reference_policies_condition-keys.md
+++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md
@@ -35 +35 @@ Properties of the principal | Properties of a role session | Properties of the n
-`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` |  `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `codebuild:BuildArn` `codebuild:ProjectArn` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` |  `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` |  `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` |  `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction`  
+`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` |  `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:SignInSessionArn` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `codebuild:BuildArn` `codebuild:ProjectArn` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` |  `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` |  `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` |  `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction`  
@@ -553,0 +554,41 @@ To learn which services support using temporary credentials, see [AWS services t
+### aws:SignInSessionArn
+
+Use this key to compare your AWS Sign-In OAuth session with the session that you specify in the policy.
+
+When you use an OAuth-based flow such as AWS CLI login (`aws login`) or AWS MCP Server, AWS Sign-In includes a sign-in session ARN in the issued credentials. AWS Sign-In propagates that ARN to subsequent requests made using OAuth access tokens. With this key, you can correlate API activity with the originating sign-in session and apply IAM policies to individual sessions.
+
+For interactive OAuth flows, the refresh token determines the sign-in session ARN lifecycle. A new access token issued during a refresh continues to carry the same sign-in session ARN.
+
+For non-interactive OAuth flows, the access token determines the sign-in session ARN lifecycle. Each new access token contains a new sign-in session ARN.
+
+  * **Availability** – This key is included in the request context when the request originates from an AWS Sign-In OAuth session. This key is not available for console sessions.
+
+  * **Data type** – [ARN](./reference_policies_elements_condition_operators.html#Conditions_ARN)
+
+  * **Value type** – Single-valued
+
+
+
+
+Use ARN operators instead of string operators when you compare ARNs.
+
+The following policy denies all actions associated with a specific AWS Sign-In session, although requests from other active sessions continue:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "DenySpecificSignInSession",
+          "Effect": "Deny",
+          "Action": "*",
+          "Resource": "*",
+          "Condition": {
+            "ArnEquals": {
+              "aws:SignInSessionArn": "arn:aws:signin:us-east-1:111122223333:session/session-id"
+            }
+          }
+        }
+      ]
+    }
+