🟡 Medium | Source: AWS What’s New
AWS IAM Identity Center now allows customer-managed applications to programmatically access AWS accounts on behalf of users, using tokens from a trusted external identity provider. Applications can discover assigned accounts and roles, and retrieve temporary credentials without requiring users to re-authenticate. This simplifies access flows but introduces new governance considerations around which applications are permitted to obtain AWS account credentials.
Security Architect’s Take: Review all existing customer-managed applications integrated with IAM Identity Center and apply the principle of least privilege when deciding which applications to enable for AWS account access. Ensure only management account or delegated administrators can grant this capability, and audit trusted token issuer configurations regularly to prevent credential abuse via compromised third-party IdPs.
Original advisory: IAM Identity Center now enables programmatic AWS account access for customer managed applications