--- title: "Configuring for Session Invalidation" slug: "configuring-for-session-invalidation" updated: 2026-04-15T10:50:31Z published: 2026-04-29T10:51:57Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.britive.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuring for Session Invalidation The following prerequisites are required on the AWS side to enable Session Invalidation feature: - Each Integration Role in the AWS environment must be updated to allow the following additional API actions: ```custom { "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicyVersions" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:policy/britive/managed/*", } ] } ``` - Each role that is marked for use by Britive (trusts the Britive identity provider) must have its trust policy updated to reflect the following:  ```custom { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam:::saml-provider/" }, "Action": [ "sts:AssumeRoleWithSAML", "sts:SetSourceIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] } ``` - It is recommended that customers apply a Service Control Policy (SCP) in the management account of AWS organization which restricts access to the Britive-managed IAM policies so that only the Britive integration role can update those policies. ```custom { "Effect": "Deny", "Actions": "*", "Resource": "arn:aws:iam::*:policy/britive/managed/*", "Condition": { "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/" } } } ```