AWS IAM Release Notes

IAM now supports two new condition context keys for controlling access to service-specific credential APIs: iam:ServiceSpecificCredentialAgeDays and iam:ServiceSpecificCredentialServiceName. These keys allow you to restrict the creation and management of service-specific credentials based on expiration settings and permitted AWS services.

IAM now supports three new AWS global condition context keys for implementing scalable network perimeter controls: aws:VpceAccount, aws:VpceOrgID, and aws:VpceOrgPaths. These keys help ensure requests come through VPC endpoints owned by specific accounts, organizations, or organizational units, automatically scaling with your VPC endpoint usage without requiring policy updates when you create new endpoints. For more information, see Establish permissions guardrails using data perimeters.

IAM added new tutorials for creating SAML identity providers (IdPs) and federated roles using AWS CloudFormation.

IAM now includes Amazon Cognito, Azure Sentinel, Pulumi Cloud, and Vercel global endpoint in the list of shared OIDC identity providers that require explicit evaluation of specific claims in JSON Web Tokens (JWTs).

IAM Access Analyzer helps you identify which principals within your organization or account have access to selected business-critical resources. Internal access analyzers support implementing the principle of least privilege by ensuring that your specified resources can only be accessed by the intended principals within your AWS organization or account.

IAM now requires explicit evaluation of specific claims in JSON Web Tokens (JWTs) for recognized shared OIDC identity providers. This security control ensures that only authorized identities from the intended organization can assume roles and access AWS resources.

IAM added permissions to IAMUserChangePassword to allow users specified within a path.

IAM Access Analyzer added iam:GetAccountAuthorizationDetails to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added Amazon S3 directory bucket access points to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM now provides improved dual-stack endpoint support that enables clients to communicate with IAM using either IPv4 or IPv6 addresses.

Enhanced documentation for policy evaluation logic, including improved flow charts and clearer explanations of how AWS evaluates policies to determine whether to allow or deny a request.

IAM removed the iam:DeleteVirtualMFADevice permission from the managed policy.

IAM Access Analyzer added support for permission to retrieve information about Amazon ECR account settings and registry policies to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM added two new policies to scope permissions for privileged root user sessions that you can initiate after you centralize root user access for member accounts in your organization.

You can now manage privileged root user credentials across member accounts in AWS Organizations with centralized root access. Centrally secure the root user credentials of your AWS accounts managed using AWS Organizations to remove and prevent root user credential recovery and access at scale.

IAM Access Analyzer added support to configure analyzers to change the scope of which AWS accounts, IAM users, and roles generate findings.

Use an AWS Organizations resource control policy (RCP) to define the maximum permissions for resources within accounts in your organization or organizational unit (OU). RCPs limit permissions that identity-based and resource-based policies can grant to resources in accounts within your organization.

IAM Access Analyzer added support for permission to retrieve information about IAM user and role tags to the service-level permissions of AccessAnalyzerServiceRolePolicy.

Enhanced documentation for SAML encryption support in IAM SAML providers, including improved troubleshooting guidance and clarification on service compatibility.

IAM Access Analyzer added support for permission to retrieve information about IAM user and role policies to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM SAML providers now support encrypted assertions in the SAML response from your external IdP. To understand how encryption works with IAM SAML federation, see Using SAML-based federation for API access.

IAM Access Analyzer added support for permission to retrieve the current state of the block public access for Amazon EC2 snapshots to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added DynamoDB streams and tables to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added Amazon S3 directory buckets to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added IAM actions to the service-level permissions of AccessAnalyzerServiceRolePolicy to support the following actions:

IAM Access Analyzer now provides custom policy checks to validate that IAM policies adhere to your security standards ahead of deployments.

IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings.

IAM Access Analyzer added permissions to IAMAccessAnalyzerReadOnlyAccess to allow you to check whether updates to your policies grant additional access.

IAM now supports action last accessed information and generates policies with action-level information for over 60 additional services, along with a list of the actions for which action last accessed information is available.

IAM now provides action last accessed information for more than 140 services, along with a list of the actions for which action last accessed information is available.

Now you can to add up to eight MFA devices per user, including FIDO security keys, software time-based one-time password (TOTP) with virtual authenticator applications, or hardware TOTP tokens.