AWS rolesanywhere documentation change
Summary
Added documentation for two new AWS managed policies (AWSRolesAnywhereFullAccess and AWSRolesAnywhereReadOnly) with detailed permissions and policy definitions
Security assessment
The changes document new IAM policies for granular access control but do not indicate remediation of a specific security vulnerability. The additions help users implement security best practices through predefined policies.
Diff
diff --git a/rolesanywhere/latest/userguide/security-iam-awsmanpol.md b/rolesanywhere/latest/userguide/security-iam-awsmanpol.md index 595e418dd..17a93eb88 100644 --- a//rolesanywhere/latest/userguide/security-iam-awsmanpol.md +++ b//rolesanywhere/latest/userguide/security-iam-awsmanpol.md @@ -5 +5 @@ -AWSRolesAnywhereServicePolicyPolicy updates +AWSRolesAnywhereServicePolicyAWSRolesAnywhereFullAccessAWSRolesAnywhereReadOnlyPolicy updates @@ -101,0 +102,44 @@ JSON +For more information and definition of this policy, see: [AWSRolesAnywhereServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRolesAnywhereServicePolicy.html). + +## AWS managed policy: AWSRolesAnywhereFullAccess + +This policy provides all permissions to IAM Roles Anywhere resources, including but not limited to: CreateProfile, DeleteTrustAnchor, DisableCRL, ResetNotificationSettings. + +You can attach the AWSRolesAnywhereFullAccess policy to your IAM identities. + +This policy grants full access permissions that allow users to view, create, update, and delete all IAM Roles Anywhere resources. + +**Permissions details** + +This policy includes the following permissions: + + * `rolesanywhere` – Allows principals to perform all actions on IAM Roles Anywhere resources including trust anchors, profiles, CRLs, subjects, and notification settings. + + * `iam:PassRole` – Allows principals to pass a role to IAM Roles Anywhere. + + * `iam:CreateServiceLinkedRole` – Allows principals to create the service-linked role for IAM Roles Anywhere. This permission is needed when the service-linked role doesn't exist in the account yet. + + + + +For more information and definition of this policy, see [AWSRolesAnywhereFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRolesAnywhereFullAccess.html). + +## AWS managed policy: AWSRolesAnywhereReadOnly + +This policy provides read-only permissions to IAM Roles Anywhere resources, including but not limited to: GetTrustAnchor, ListProfiles, GetCRL. + +You can attach the AWSRolesAnywhereReadOnly policy to your IAM identities. + +This policy grants read-only permissions that allow users to view IAM Roles Anywhere resources but not modify them. + +**Permissions details** + +This policy includes the following permissions: + + * `rolesanywhere` – Allows principals to view all IAM Roles Anywhere resources including trust anchors, profiles, CRLs, and subjects. + + + + +For more information and definition of this policy, see [AWSRolesAnywhereReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSRolesAnywhereReadOnly.html). + @@ -107,0 +152,2 @@ Change | Description | Date +AWSRolesAnywhereFullAccess – New policy | IAM Roles Anywhere added a new policy to allow users to grant full access IAM Roles Anywhere permissions to principals in a standardized way. | July 16, 2025 +AWSRolesAnywhereReadOnly – New policy | IAM Roles Anywhere added a new policy to allow users to grant read only IAM Roles Anywhere permissions to principals in a standardized way. | July 16, 2025