AWS rosa medium security documentation change
Summary
Updated ROSAImageRegistryOperatorPolicy documentation to scope permissions to S3 bucket resource level and expand coverage to AWS Commercial Regions
Security assessment
The change explicitly states permissions were scoped down to resource level, which is a security hardening measure to follow least-privilege principles. This directly impacts security by reducing potential attack surface.
Diff
diff --git a/rosa/latest/userguide/security-iam-awsmanpol.md b/rosa/latest/userguide/security-iam-awsmanpol.md index e9164bd02..f9f57c166 100644 --- a//rosa/latest/userguide/security-iam-awsmanpol.md +++ b//rosa/latest/userguide/security-iam-awsmanpol.md @@ -284,0 +285 @@ Change | Description | Date +ROSAImageRegistryOperatorPolicy — Policy updated | ROSA updated the policy so that the permissions are scoped down to the S3 bucket resource level. This change satisfies ROSA storage requirements for both AWS Commercial and GovCloud Regions. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy. | May 19, 2025 @@ -286 +287 @@ ROSANodePoolManagementPolicy — Policy updated | ROSA updated the policy to al -ROSAImageRegistryOperatorPolicy — Policy updated | ROSA updated the policy to allow the Red Hat OpenShift Image Registry Operator to provision and manage Amazon S3 buckets and objects in AWS GovCloud Regions for use by the ROSA in-cluster image registry. This change satisfies ROSA storage requirements for AWS GovCloud Regions. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy | April 16, 2025 +ROSAImageRegistryOperatorPolicy — Policy updated | ROSA updated the policy to allow the Red Hat OpenShift Image Registry Operator to provision and manage Amazon S3 buckets and objects in AWS GovCloud Regions for use by the ROSA in-cluster image registry. This change satisfies ROSA storage requirements for AWS GovCloud Regions. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy. | April 16, 2025