Periodic update - 11/27/19-2:32pm PDT

doc_source/access_policies_boundaries.md

@@ -38,7 +38,7 @@ When you use a policy to set the permissions boundary for a user, it limits the
 }
 ```
 
-This policy allows creating a user in IAM\. If you attach this policy to the `ShirleyRodriguez` user, and Shirley tries to create a user, the operation fails\. It fails because the policy evaluation logic checks the policy used as the permissions boundary, which does not allow the `iam:CreateUser` operation\. To allow Shirley to perform any operations in AWS, you must add a permissions policy with actions in Amazon S3, Amazon CloudWatch, or Amazon EC2\. Alternatively, you could update the permissions boundary to allow her to create a user in IAM\.
+This policy allows creating a user in IAM\. If you attach this permissions policy to the `ShirleyRodriguez` user, and Shirley tries to create a user, the operation fails\. It fails because the permissions boundary does not allow the `iam:CreateUser` operation\. Given these two policies, Shirley does not have permission to perform any operations in AWS\. You must add a different permissions policy to allow actions in other services, such as Amazon S3\. Alternatively, you could update the permissions boundary to allow her to create a user in IAM\.
 
 ## Evaluating Effective Permissions with Boundaries<a name="access_policies_boundaries-eval-logic"></a>
 

doc_source/access_policies_create.md

@@ -9,7 +9,7 @@ You can create a new IAM policy in the AWS Management Console using one of the f
 
 You can create an inline policy in the AWS Management Console\. An inline policy is one that you create and embed directly to an IAM group, user, or role\. To learn more, see [Adding and Removing IAM Identity Permissions](access_policies_manage-attach-detach.md)\. You cannot create AWS managed policies\.
 
-For information about policy size limitations and other quotas, see [Limitations on IAM Entities and Objects](reference_iam-limits.md)\.
+For information about policy size limitations and other quotas, see [IAM and STS Limits](reference_iam-limits.md)\.
 
 **Topics**
 + [Creating IAM Policies \(Console\)](#access_policies_create-start)

doc_source/access_policies_manage-attach-detach.md

@@ -30,7 +30,7 @@ You can use the console, AWS CLI, or AWS API to perform any of these actions\.
 + For more information about the difference between managed and inline policies, see [Managed Policies and Inline Policies](access_policies_managed-vs-inline.md)\. 
 + For more information about permissions boundaries, see [Permissions Boundaries for IAM Entities](access_policies_boundaries.md)\.
 + For general information about IAM policies, see [Policies and Permissions](access_policies.md)\.
-+ For information about policy size limitations, see [Limitations on IAM Entities and Objects](reference_iam-limits.md)\.
++ For information about policy size limitations, see [IAM and STS Limits](reference_iam-limits.md)\.
 
 ## View Identity Activity<a name="attach-detach_prerequisites"></a>
 

doc_source/access_policies_manage-delete.md

@@ -6,7 +6,7 @@ For more information about the difference between managed and inline policies, s
 
 For general information about IAM policies, see [Policies and Permissions](access_policies.md)\.
 
-For information about policy size limitations and other quotas, see [Limitations on IAM Entities and Objects](reference_iam-limits.md)\.
+For information about policy size limitations and other quotas, see [IAM and STS Limits](reference_iam-limits.md)\.
 
 **Topics**
 + [View Policy Access](#manage-delete_prerequisites)

doc_source/access_policies_manage-edit.md

@@ -1,6 +1,6 @@
 # Editing IAM Policies<a name="access_policies_manage-edit"></a>
 
-A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions\. Policies are stored in AWS as JSON documents and are attached to principals as *identity\-based policies* in IAM\. You can attach an identity\-based policy to a principal \(or identity\), such as an IAM group, user, or role\. Identity\-based policies include AWS managed policies, customer managed policies, and [inline policies](access_policies_managed-vs-inline.md)\. You can edit customer managed policies and inline policies in IAM\. AWS managed policies cannot be edited\. For information about policy size limitations and other quotas, see [Limitations on IAM Entities and Objects](reference_iam-limits.md)\.
+A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions\. Policies are stored in AWS as JSON documents and are attached to principals as *identity\-based policies* in IAM\. You can attach an identity\-based policy to a principal \(or identity\), such as an IAM group, user, or role\. Identity\-based policies include AWS managed policies, customer managed policies, and [inline policies](access_policies_managed-vs-inline.md)\. You can edit customer managed policies and inline policies in IAM\. AWS managed policies cannot be edited\. For information about policy size limitations and other quotas, see [IAM and STS Limits](reference_iam-limits.md)\.
 
 **Topics**
 + [View Policy Access](#manage-edit_prerequisites)

doc_source/access_policies_manage.md

@@ -6,7 +6,7 @@ Consult these resources for details:
 + For more information about the different types of IAM policies, see [Policies and Permissions](access_policies.md)\. 
 + For general information about using policies within IAM, see [Access Management](access.md)\.
 + For information about how permissions are evaluated when multiple policies are in effect for a given IAM principal entity, see [Policy Evaluation Logic](reference_policies_evaluation-logic.md)\.
-+ For information about policy size and naming limitations, see [Limitations on IAM Entities and Objects](reference_iam-limits.md)\.
++ For information about policy size and naming limitations, see [IAM and STS Limits](reference_iam-limits.md)\.
 
 **Topics**
 + [Creating IAM Policies](access_policies_create.md)

doc_source/cloudtrail-integration.md

@@ -115,7 +115,7 @@ The following table shows how CloudTrail logs different information for each of
 
 ****  
 
-| Principal Type | STS API | User Identity in CloudTrail Log for Caller's Account | User Identity in CloudTrail Log for the Assumed Role's Account | User Identity in CloudTrail Log for the Role's Subsequent API calls | 
+| Principal Type | STS API | User Identity in CloudTrail Log for Caller's Account | User Identity in CloudTrail Log for the Assumed Role's Account | User Identity in CloudTrail Log for the Role's Subsequent API Calls | 
 | --- | --- | --- | --- | --- | 
 | AWS account root user credentials | GetSessionToken | Root user identity | Role owner account is same as calling account | Root user identity | 
 | IAM user | GetSessionToken | IAM user identity | Role owner account is same as calling account | IAM user identity | 
@@ -262,6 +262,86 @@ The second example shows the assumed role account's \(111122223333\) CloudTrail
 }
 ```
 
+### Example AWS STS Role Chaining API Event in CloudTrail Log File<a name="stscloudtrailexample-assumerole"></a>
+
+The following example shows a CloudTrail log entry for a request made by John Doe in account 111111111111\. John previously used his `JohnDoe` user to assume the `JohnRole1` role\. For this request, he uses the credentials from that role to assume the `JonRole2` role\. This is known as [role chaining](id_roles_terms-and-concepts.md#iam-term-role-chaining)\. John passes two [session tags](id_session-tags.md) into the request\. He sets those two tags as transitive\. The request inherits the `Department` tag as transitive because John set it as transitive when he assumed `JohnRole1`\. For more information about transitive keys in role chains, see [Chaining Roles with Session Tags](id_session-tags.md#id_session-tags_role-chaining)\.
+
+```
+{
+    "eventVersion": "1.05",
+    "userIdentity": {
+        "type": "AssumedRole",
+        "principalId": "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
+        "arn": "arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1",
+        "accountId": "111111111111",
+        "accessKeyId": "AKIAI44QH8DHBEXAMPLE",
+        "sessionContext": {
+            "attributes": {
+                "mfaAuthenticated": "false",
+                "creationDate": "2019-10-02T21:50:54Z"
+            },
+            "sessionIssuer": {
+                "type": "Role",
+               "principalId": "AROAIN5ATK5U7KEXAMPLE",
+                "arn": "arn:aws:iam::111111111111:role/JohnRole1",
+                "accountId": "111111111111",
+                "userName": "JohnDoe"
+            }
+        }
+    },
+    "eventTime": "2019-10-02T22:12:29Z",
+    "eventSource": "sts.amazonaws.com",
+    "eventName": "AssumeRole",
+    "awsRegion": "us-east-2",
+    "sourceIPAddress": "123.145.67.89",
+    "userAgent": "aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239",
+    "requestParameters": {
+        "incomingTransitiveTags": {
+            "Department": "Engineering"
+        },
+        "tags": [
+            {
+                "value": "johndoe@example.com",
+                "key": "Email"
+            },
+            {
+                "value": "12345",
+                "key": "CostCenter"
+            }
+        ],
+        "roleArn": "arn:aws:iam::111111111111:role/JohnRole2",
+        "roleSessionName": "Role2WithTags",
+        "transitiveTagKeys": [
+            "Email",
+            "CostCenter"
+        ],
+        "durationSeconds": 3600
+    },
+    "responseElements": {
+        "credentials": {
+            "accessKeyId": "ASIAWHOJDLGPOEXAMPLE",
+            "expiration": "Oct 2, 2019 11:12:29 PM",
+            "sessionToken": "AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"
+        },
+        "assumedRoleUser": {
+            "assumedRoleId": "AROAIFR7WHDTSOYQYHFUE:Role2WithTags",
+            "arn": "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"
+        }
+    },
+    "requestID": "b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE",
+    "eventID": "1917948f-3042-46ec-98e2-62865EXAMPLE",
+    "resources": [
+        {
+            "ARN": "arn:aws:iam::111122223333:role/JohnRole2",
+            "accountId": "111111111111",
+            "type": "AWS::IAM::Role"
+        }
+    ],
+    "eventType": "AwsApiCall",
+    "recipientAccountId": "111111111111"
+}
+```
+
 ### Example AWS Service AWS STS API Event in CloudTrail Log File<a name="stscloudtrailexample_service"></a>
 
 The following example shows a CloudTrail log entry for a request made by an AWS service calling another service API using permissions from a service role\. It shows the CloudTrail log entry for the request made in account 777788889999\.
@@ -308,68 +388,77 @@ The following example shows a CloudTrail log entry for a request made by an AWS
 
 ### Example SAML AWS STS API Event in CloudTrail Log File<a name="stscloudtrailexample_saml"></a>
 
-The following example shows a CloudTrail log entry for a request made for the AWS STS `AssumeRoleWithSAML` action\.
+The following example shows a CloudTrail log entry for a request made for the AWS STS `AssumeRoleWithSAML` action\. The request includes the SAML attributes `CostCenter` and `Project` that are passed through the SAML assertion as [session tags](id_session-tags.md)\. Those tags are set as transitive so that they [persist in role chaining scenarios](id_session-tags.md#id_session-tags_role-chaining)\.
 
 ```
 {
-  "eventVersion": "1.05",
-  "userIdentity": {
-    "type": "SAMLUser",
-    "principalId": "<id of identity provider>:<canonical id of user>",
-    "userName": "<canonical id of user>",
-    "identityProvider": "<id of identity provider>"
-  },
-  "eventTime": "2016-03-23T01:39:57Z",
-  "eventSource": "sts.amazonaws.com",
-  "eventName": "AssumeRoleWithSAML",
-  "awsRegion": "us-east-2",
-  "sourceIPAddress": "192.0.2.101",
-  "userAgent": "aws-cli/1.3.23 Python/2.7.6 Linux/2.6.18-164.el5",
-  "requestParameters": {
-    "sAMLAssertionID": "_c0046cEXAMPLEb9d4b8eEXAMPLE2619aEXAMPLE",
-    "roleSessionName": "MyAssignedRoleSessionName",
-    "durationSeconds": 3600,
-    "roleArn": "arn:aws:iam::444455556666:role/SAMLTestRoleShibboleth",
-    "principalArn": "arn:aws:iam::444455556666:saml-provider/Shibboleth"
-  },
-  "responseElements": {
-    "subjectType": "transient",
-    "issuer": "https://server.example.com/idp/shibboleth",
-    "credentials": {
-      "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
-      "expiration": "Mar 23, 2016 2:39:57 AM",
-      "sessionToken": "<encoded session token blob>"
+    "eventVersion": "1.05",
+    "userIdentity": {
+        "type": "SAMLUser",
+        "principalId": "SampleUkh1i4+ExamplexL/jEvs=:SamlExample",
+        "userName": "SamlExample",
+        "identityProvider": "bdGOnTesti4+ExamplexL/jEvs="
     },
-    "nameQualifier": "<id of identity provider>",
-    "assumedRoleUser": {
-      "assumedRoleId": "AROAD35QRSTUVWEXAMPLE:MyAssignedRoleSessionName",
-      "arn": "arn:aws:sts::444455556666:assumed-role/SAMLTestRoleShibboleth/MyAssignedRoleSessionName"
+    "eventTime": "2019-11-01T19:14:36Z",
+    "eventSource": "sts.amazonaws.com",
+    "eventName": "AssumeRoleWithSAML",
+    "awsRegion": "us-east-2",
+    "sourceIPAddress": "192.0.2.101",
+    "userAgent": "aws-cli/1.16.263 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.253",
+    "requestParameters": {
+        "sAMLAssertionID": "_c0046cEXAMPLEb9d4b8eEXAMPLE2619aEXAMPLE",
+        "roleSessionName": "MyAssignedRoleSessionName",
+        "principalTags": {
+            "CostCenter": "987654",
+            "Project": "Unicorn",
+            "Department": "Engineering"
+        },
+        "transitiveTagKeys": [
+            "CostCenter",
+            "Project"
+        ],
+        "durationSeconds": 3600,
+        "roleArn": "arn:aws:iam::444455556666:role/SAMLTestRoleShibboleth",
+        "principalArn": "arn:aws:iam::444455556666:saml-provider/Shibboleth"
     },
-    "subject": "<canonical id of user>",
-    "audience": "https://signin.aws.amazon.com/saml"
-  },
-  "resources": [  
-    { 
-      "ARN": "arn:aws:iam::444455556666:role/SAMLTestRoleShibboleth",   
-      "accountId": "444455556666",
-      "type": "AWS::IAM::Role" 
+    "responseElements": {
+        "subjectType": "transient",
+        "issuer": "https://server.example.com/idp/shibboleth",
+        "credentials": {
+            "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
+            "expiration": "Mar 23, 2016 2:39:57 AM",
+            "sessionToken": "<encoded session token blob>"
+        },
+        "nameQualifier": "bdGOnTesti4+ExamplexL/jEvs=",
+        "assumedRoleUser": {
+            "assumedRoleId": "AROAD35QRSTUVWEXAMPLE:MyAssignedRoleSessionName",
+            "arn": "arn:aws:sts::444455556666:assumed-role/SAMLTestRoleShibboleth/MyAssignedRoleSessionName"
+        },
+        "subject": "SamlExample",
+        "audience": "https://signin.aws.amazon.com/saml"
     },
-    {
-      "ARN": "arn:aws:iam::444455556666:saml-provider/test-saml-provider",   
-      "accountId": "444455556666",
-      "type": "AWS::IAM::SAMLProvider" 
-    }
-  ],
-  "requestID": "6EXAMPLE-e595-11e5-b2c7-c974fEXAMPLE",
-  "eventID": "dEXAMPLE-265a-41e0-9352-4401bEXAMPLE",
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "444455556666"
+    "resources": [
+        {
+            "ARN": "arn:aws:iam::444455556666:role/SAMLTestRoleShibboleth",
+            "accountId": "444455556666",
+            "type": "AWS::IAM::Role"
+        },
+        {
+            "ARN": "arn:aws:iam::444455556666:saml-provider/test-saml-provider",
+            "accountId": "444455556666",
+            "type": "AWS::IAM::SAMLProvider"
+        }
+    ],
+    "requestID": "6EXAMPLE-e595-11e5-b2c7-c974fEXAMPLE",
+    "eventID": "dEXAMPLE-265a-41e0-9352-4401bEXAMPLE",
+    "eventType": "AwsApiCall",
+    "recipientAccountId": "444455556666"
 }
 ```
 
 ### Example Web Identity AWS STS API Event in CloudTrail Log File<a name="stscloudtrailexample_web-identity"></a>
 
-The following example shows a CloudTrail log entry for a request made for the AWS STS `AssumeRoleWithWebIdentity` action\.
+The following example shows a CloudTrail log entry for a request made for the AWS STS `AssumeRoleWithWebIdentity` action\. The request includes the attributes `CostCenter` and `Project` that are passed through the identity provider token as [session tags](id_session-tags.md)\. Those tags are set as transitive so that they [persist in role chaining scenarios](id_session-tags.md#id_session-tags_role-chaining)\.
 
 ```
 {
@@ -390,6 +479,14 @@ The following example shows a CloudTrail log entry for a request made for the AW
     "durationSeconds": 3600,
     "roleArn": "arn:aws:iam::444455556666:role/FederatedWebIdentityRole",
     "roleSessionName": "MyAssignedRoleSessionName"
+        "principalTags": {
+            "CostCenter": "24680",
+            "Project": "Pegasus"
+        },
+        "transitiveTagKeys": [
+            "CostCenter",
+            "Project"
+        ],
   },
   "responseElements": {
     "provider": "accounts.google.com",

doc_source/console.md

@@ -10,7 +10,7 @@ We strongly recommend that you do not use the root user for your everyday tasks,
 This section provides information about the AWS Management Console sign\-in page\. It explains how to create a unique sign\-in URL for IAM users in your account, and how to sign in as the root user\. 
 
 **Note**  
-If your organization has an existing identity system, you might want to create a single sign\-on \(SSO\) option\. SSO gives users access to the AWS Management Console for your account without requiring them to have an IAM user identity\. SSO also eliminates the need for users to sign in to your organization's site and to AWS separately\. For more information, see [Creating a URL that Enables Federated Users to Access the AWS Management Console \(Custom Federation Broker\)](id_roles_providers_enable-console-custom-url.md)\. 
+If your organization has an existing identity system, you might want to create a single sign\-on \(SSO\) option\. SSO gives users access to the AWS Management Console for your account without requiring them to have an IAM user identity\. SSO also eliminates the need for users to sign in to your organization's site and to AWS separately\. For more information, see [Enabling Custom Identity Broker Access to the AWS Console](id_roles_providers_enable-console-custom-url.md)\. 
 
 ## The IAM User Sign\-in Page<a name="user-sign-in-page"></a>
 

doc_source/console_account-alias.md

@@ -55,7 +55,7 @@ You can use the AWS Management Console, the IAM API, or the command line interfa
 
 **Important**  
 Your AWS account can have only one alias\. If you create a new alias for your AWS account, the new alias overwrites the previous alias, and the URL containing the previous alias stops working\.
-The account alias must be unique across all Amazon Web Services products\. It must contain only digits, lowercase letters, and hyphens\. For more information on limitations on AWS account entities, see [Limitations on IAM Entities and Objects](reference_iam-limits.md)\.
+The account alias must be unique across all Amazon Web Services products\. It must contain only digits, lowercase letters, and hyphens\. For more information on limitations on AWS account entities, see [IAM and STS Limits](reference_iam-limits.md)\.
 
 ### Creating and Deleting Aliases \(Console\)<a name="CreateAlias_Console"></a>