AWS Security ChangesHomeSearch

AWS rolesanywhere documentation change

Service: rolesanywhere · 2025-04-28 · Documentation medium

File: rolesanywhere/latest/userguide/introduction.md

Summary

Clarified 'long-term credentials' to 'long-term AWS credentials' and added sections on account trust boundaries and multi-account setups

Security assessment

The added 'Account trust boundary' section clarifies security controls by explaining trust boundaries at the account level, helping prevent misconfigurations. While not addressing a specific vulnerability, it enhances security documentation.

Diff

diff --git a/rolesanywhere/latest/userguide/introduction.md b/rolesanywhere/latest/userguide/introduction.md
index 1c8bc67c9..12184fc1f 100644
--- a//rolesanywhere/latest/userguide/introduction.md
+++ b//rolesanywhere/latest/userguide/introduction.md
@@ -9 +9 @@ IAM Roles Anywhere conceptsAccessing IAM Roles Anywhere
-You can use AWS Identity and Access Management Roles Anywhere to obtain [temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don't need to manage long-term credentials for workloads running outside of AWS. 
+You can use AWS Identity and Access Management Roles Anywhere to obtain [temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don't need to manage long-term AWS credentials for workloads running outside of AWS. 
@@ -44,0 +45,15 @@ All IAM Roles Anywhere resources are regional and they must be created in the sa
+### Account trust boundary
+
+For IAM Roles Anywhere, the trust boundary is established at the account level. This means:
+
+  * Certificates issued by any trust anchor in the account can be used to assume any target role in that same account, unless you specify conditions in the role's trust policy.
+
+  * There is no automatic integration with organization-wide controls.
+
+
+
+
+### Multi-account setups
+
+For information on setting up multi-account access, see: [Access for an IAM user in another AWS account that you own.](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html)
+