AWS r53recovery medium security documentation change
Summary
Added section detailing IAM permissions required for sharing clusters via AWS RAM, including recommended managed policies and custom policy requirements
Security assessment
Explicitly documents security-related IAM permissions required for secure cross-account cluster sharing, including prevention of authorization errors
Diff
diff --git a/r53recovery/latest/dg/routing-control.failover-different-accounts.md b/r53recovery/latest/dg/routing-control.failover-different-accounts.md index fd558a9c5..60b56a6d5 100644 --- a/r53recovery/latest/dg/routing-control.failover-different-accounts.md +++ b/r53recovery/latest/dg/routing-control.failover-different-accounts.md @@ -79,0 +80,10 @@ Use the [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference +**Granting permissions to share clusters** + +Sharing clusters across accounts requires permissions for the IAM principal sharing the cluster via AWS RAM. + +We recommend using the `AmazonRoute53RecoveryControlConfigFullAccess` managed IAM policy to ensure that your IAM principals have the required permissions to share and use shared clusters. + +Sharing a cluster using a custom IAM policy requires `route53-recovery-control-config:PutResourcePolicy`, `route53-recovery-control-config:GetResourcePolicy`, and `route53-recovery-control-config:DeleteResourcePolicy` permissions for that cluster. `PutResourcePolicy` and `DeleteResourcePolicy` are permission-only IAM actions. Attempting to share a cluster through AWS RAM without having these permissions will result in an error. + +For more information about the way that AWS Resource Access Manager uses IAM see [ How AWS Resource Access Manager uses IAM](https://docs.aws.amazon.com/ram/latest/userguide/security-iam-policies.html) in the _AWS RAM User Guide_. +