AWS Security ChangesHomeSearch

AWS appstream2 documentation change

Service: appstream2 · 2025-05-19 · Documentation low

File: appstream2/latest/developerguide/managed-policies-required-to-access-appstream-resources.md

Summary

Added documentation about IAM role requirements and expanded details of service role permissions including S3 bucket management and network interface operations

Security assessment

The changes clarify security-related IAM role requirements and explicitly document service role permissions for S3 bucket operations (including encryption configuration) and network interface management. While this improves security transparency, there is no evidence of addressing a specific vulnerability.

Diff

diff --git a/appstream2/latest/developerguide/managed-policies-required-to-access-appstream-resources.md b/appstream2/latest/developerguide/managed-policies-required-to-access-appstream-resources.md
index 1ec86bb3d..7d417ed7e 100644
--- a//appstream2/latest/developerguide/managed-policies-required-to-access-appstream-resources.md
+++ b//appstream2/latest/developerguide/managed-policies-required-to-access-appstream-resources.md
@@ -10,0 +11,4 @@ To provide full administrative or read-only access to AppStream 2.0, you must at
+###### Note
+
+In AWS, IAM roles are used to grant permissions to an AWS service so it can access AWS resources. The policies that are attached to the role determine which AWS resources the service can access and what it can do with those resources. For AppStream 2.0, in addition to having the permissions defined in the **AmazonAppStreamFullAccess** policy, you must also have the required roles in your AWS account. For more information, see [Roles Required for AppStream 2.0, Application Auto Scaling, and AWS Certificate Manager Private CA](./roles-required-for-appstream.html).
+
@@ -150,0 +155,15 @@ This managed policy is the default policy for the AppStream 2.0 service role.
+This role permissions policy allows AppStream 2.0 to complete the following actions:
+
+  * When using subnets in your account for your AppStream 2.0 fleets, AppStream 2.0 is able to describe subnets, VPCs, and availability zones, as well as create and manage the lifecycle of all elastic network interfaces associated with the fleet instances in those subnets. This also includes being able to attach Security Groups and IP addresses from those subnets to those elastic network interfaces.
+
+  * When using features such as UPP and HomeFolders, AppStream 2.0 is able to create and manage Amazon S3 buckets, objects and their lifecyles, policies, and encryption configuration in the account. These buckets include the following naming prefixes:
+
+    * `"arn:aws:s3:::appstream2-36fb080bb8-",`
+
+    * `"arn:aws:s3:::appstream-app-settings-",`
+
+    * `"arn:aws:s3:::appstream-logs-"`
+
+
+
+