AWS IAM documentation change
Summary
Added new condition key 'aws:SignInSessionArn' for OAuth-based sessions with documentation on usage, availability, and example policy
Security assessment
Introduces a new security-related condition key for session tracking but lacks evidence of addressing a specific vulnerability. Enhances security documentation by enabling session-based access control policies.
Diff
diff --git a/IAM/latest/UserGuide/reference_policies_condition-keys.md b/IAM/latest/UserGuide/reference_policies_condition-keys.md index 5031ddf5b..d8f76acdf 100644 --- a//IAM/latest/UserGuide/reference_policies_condition-keys.md +++ b//IAM/latest/UserGuide/reference_policies_condition-keys.md @@ -35 +35 @@ Properties of the principal | Properties of a role session | Properties of the n -`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` | `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `codebuild:BuildArn` `codebuild:ProjectArn` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` | `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` | `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` | `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction` +`aws:PrincipalArn` `aws:PrincipalAccount` `aws:PrincipalOrgPaths` `aws:PrincipalOrgID` `aws:PrincipalTag/tag-key` `aws:PrincipalIsAWSService` `aws:PrincipalServiceName` `aws:PrincipalServiceNamesList` `aws:PrincipalType` `aws:userid` `aws:username` | `aws:AssumedRoot` `aws:FederatedProvider` `aws:TokenIssueTime` `aws:SignInSessionArn` `aws:MultiFactorAuthAge` `aws:MultiFactorAuthPresent` `aws:ChatbotSourceArn` `aws:Ec2InstanceSourceVpc` `aws:Ec2InstanceSourcePrivateIPv4` `aws:SourceIdentity` `ec2:RoleDelivery` `ec2:SourceInstanceArn` `glue:RoleAssumedBy` `glue:CredentialIssuingService` `codebuild:BuildArn` `codebuild:ProjectArn` `lambda:SourceFunctionArn` `ssm:SourceInstanceArn` `identitystore:UserId` | `aws:SourceIp` `aws:SourceVpc` `aws:SourceVpcArn` `aws:SourceVpce` `aws:VpceAccount` `aws:VpceOrgID` `aws:VpceOrgPaths` `aws:VpcSourceIp` | `aws:ResourceAccount` `aws:ResourceOrgID` `aws:ResourceOrgPaths` `aws:ResourceTag/tag-key` | `aws:CalledVia` `aws:CalledViaFirst` `aws:CalledViaLast` `aws:CalledViaAWSMCP` `aws:ViaAWSService` `aws:ViaAWSMCPService` `aws:CurrentTime` `aws:EpochTime` `aws:referer` `aws:RequestedRegion` `aws:RequestTag/tag-key` `aws:TagKeys` `aws:SecureTransport` `aws:SourceAccount` `aws:SourceArn` `aws:SourceOrgID` `aws:SourceOrgPaths` `aws:UserAgent` `aws:IsMcpServiceAction` @@ -553,0 +554,41 @@ To learn which services support using temporary credentials, see [AWS services t +### aws:SignInSessionArn + +Use this key to compare your AWS Sign-In OAuth session with the session that you specify in the policy. + +When you use an OAuth-based flow such as AWS CLI login (`aws login`) or AWS MCP Server, AWS Sign-In includes a sign-in session ARN in the issued credentials. AWS Sign-In propagates that ARN to subsequent requests made using OAuth access tokens. With this key, you can correlate API activity with the originating sign-in session and apply IAM policies to individual sessions. + +For interactive OAuth flows, the refresh token determines the sign-in session ARN lifecycle. A new access token issued during a refresh continues to carry the same sign-in session ARN. + +For non-interactive OAuth flows, the access token determines the sign-in session ARN lifecycle. Each new access token contains a new sign-in session ARN. + + * **Availability** – This key is included in the request context when the request originates from an AWS Sign-In OAuth session. This key is not available for console sessions. + + * **Data type** – [ARN](./reference_policies_elements_condition_operators.html#Conditions_ARN) + + * **Value type** – Single-valued + + + + +Use ARN operators instead of string operators when you compare ARNs. + +The following policy denies all actions associated with a specific AWS Sign-In session, although requests from other active sessions continue: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenySpecificSignInSession", + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "ArnEquals": { + "aws:SignInSessionArn": "arn:aws:signin:us-east-1:111122223333:session/session-id" + } + } + } + ] + } +