AWS rolesanywhere documentation change
Summary
Clarified 'long-term credentials' to 'long-term AWS credentials' and added sections on account trust boundaries and multi-account setups
Security assessment
The added 'Account trust boundary' section clarifies security controls by explaining trust boundaries at the account level, helping prevent misconfigurations. While not addressing a specific vulnerability, it enhances security documentation.
Diff
diff --git a/rolesanywhere/latest/userguide/introduction.md b/rolesanywhere/latest/userguide/introduction.md index 1c8bc67c9..12184fc1f 100644 --- a//rolesanywhere/latest/userguide/introduction.md +++ b//rolesanywhere/latest/userguide/introduction.md @@ -9 +9 @@ IAM Roles Anywhere conceptsAccessing IAM Roles Anywhere -You can use AWS Identity and Access Management Roles Anywhere to obtain [temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don't need to manage long-term credentials for workloads running outside of AWS. +You can use AWS Identity and Access Management Roles Anywhere to obtain [temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) for workloads such as servers, containers, and applications that run outside of AWS. Your workloads can use the same [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that you use with AWS applications to access AWS resources. Using IAM Roles Anywhere means you don't need to manage long-term AWS credentials for workloads running outside of AWS. @@ -44,0 +45,15 @@ All IAM Roles Anywhere resources are regional and they must be created in the sa +### Account trust boundary + +For IAM Roles Anywhere, the trust boundary is established at the account level. This means: + + * Certificates issued by any trust anchor in the account can be used to assume any target role in that same account, unless you specify conditions in the role's trust policy. + + * There is no automatic integration with organization-wide controls. + + + + +### Multi-account setups + +For information on setting up multi-account access, see: [Access for an IAM user in another AWS account that you own.](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) +