AWS Security ChangesHomeSearch

AWS r53recovery medium security documentation change

Service: r53recovery · 2025-03-26 · Security-related medium

File: r53recovery/latest/dg/routing-control.failover-different-accounts.md

Summary

Added section detailing IAM permissions required for sharing clusters via AWS RAM, including recommended managed policies and custom policy requirements

Security assessment

Explicitly documents security-related IAM permissions required for secure cross-account cluster sharing, including prevention of authorization errors

Diff

diff --git a/r53recovery/latest/dg/routing-control.failover-different-accounts.md b/r53recovery/latest/dg/routing-control.failover-different-accounts.md
index fd558a9c5..60b56a6d5 100644
--- a/r53recovery/latest/dg/routing-control.failover-different-accounts.md
+++ b/r53recovery/latest/dg/routing-control.failover-different-accounts.md
@@ -79,0 +80,10 @@ Use the [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference
+**Granting permissions to share clusters**
+
+Sharing clusters across accounts requires permissions for the IAM principal sharing the cluster via AWS RAM.
+
+We recommend using the `AmazonRoute53RecoveryControlConfigFullAccess` managed IAM policy to ensure that your IAM principals have the required permissions to share and use shared clusters.
+
+Sharing a cluster using a custom IAM policy requires `route53-recovery-control-config:PutResourcePolicy`, `route53-recovery-control-config:GetResourcePolicy`, and `route53-recovery-control-config:DeleteResourcePolicy` permissions for that cluster. `PutResourcePolicy` and `DeleteResourcePolicy` are permission-only IAM actions. Attempting to share a cluster through AWS RAM without having these permissions will result in an error.
+
+For more information about the way that AWS Resource Access Manager uses IAM see [ How AWS Resource Access Manager uses IAM](https://docs.aws.amazon.com/ram/latest/userguide/security-iam-policies.html) in the _AWS RAM User Guide_.
+