Session Policies and Tag-Based Scoping

Sometimes you want to grant a role but restrict what a particular session can do without editing the role itself. Session policies and session tags let you shrink permissions at the exact moment a role is assumed. These advanced STS features support fine-grained, scalable least privilege that the exam rewards.

A session policy is an inline or managed policy passed to AssumeRole (via Policy or PolicyArns). It does not grant new permissions; it can only filter the role's existing permissions for that session. The effective permissions are the intersection of the role's policies and the session policy.