AWS Security ChangesHomeSearch

AWS rolesanywhere documentation change

Service: rolesanywhere · 2026-07-10 · Documentation medium

File: rolesanywhere/latest/userguide/authentication-create-session.md

Summary

Added documentation about CloudTrail logging of signing characteristics in CreateSession requests for auditing authentication compliance.

Security assessment

The change documents new CloudTrail audit capabilities that log cryptographic signing details (e.g., missing headers, algorithm mismatches) during authentication. This improves security visibility but doesn't fix a vulnerability - it enhances auditing documentation for detecting non-compliant authentication attempts.

Diff

diff --git a/rolesanywhere/latest/userguide/authentication-create-session.md b/rolesanywhere/latest/userguide/authentication-create-session.md
index 809440b9f..330d30659 100644
--- a//rolesanywhere/latest/userguide/authentication-create-session.md
+++ b//rolesanywhere/latest/userguide/authentication-create-session.md
@@ -249 +249,3 @@ The `acceptRoleSessionName` option on a profile controls whether or not a role s
-By default, the `acceptRoleSessionName` attached to the profile is `false`. If you provide a custom role session name in the CreateSession request but custom role session names are not accepted, you will receive an `Access Denied` error. However, when a role session name is not presented in the CreateSession request, the role session name will default to the serial number of the end-entity X.509 certificate that was used to authenticate the request, even when the `acceptRoleSessionName` on the profile is `true`. 
+By default, the `acceptRoleSessionName` attached to the profile is `false`. If you provide a custom role session name in the CreateSession request but custom role session names are not accepted, you will receive an `Access Denied` error. However, when a CreateSession request does not include a role session name, the role session name defaults to the serial number of the end-entity X.509 certificate used to authenticate the request, even when the `acceptRoleSessionName` on the profile is `true`. 
+
+CloudTrail events for successfully authenticated `CreateSession` requests also include an `additionalEventData` object. This object records signing characteristics that IAM Roles Anywhere detected while authenticating the request. Examples include required signing headers not covered by the signature, and a mismatch between the declared signing algorithm and the certificate key type. Use these fields to audit whether the clients in your fleet conform to the IAM Roles Anywhere authentication signing process. For more information, see [CreateSession additionalEventData](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/logging-using-cloudtrail.html#create-session-additional-event-data).