AWS Security ChangesHomeSearch

AWS glue medium security documentation change

Service: glue · 2025-07-25 · Security-related medium

File: glue/latest/dg/aws-glue-api-jobs-runs.md

Summary

Added documentation for ExecutionRoleSessionPolicy parameter in StartJobRun API, explaining inline session policies for dynamically restricting execution role permissions

Security assessment

The change introduces documentation for a security feature that allows temporary permission restriction of execution roles via inline policies. This directly relates to security by enabling least-privilege access patterns without requiring permanent role changes.

Diff

diff --git a/glue/latest/dg/aws-glue-api-jobs-runs.md b/glue/latest/dg/aws-glue-api-jobs-runs.md
index a21d94eb9..57e1d53aa 100644
--- a//glue/latest/dg/aws-glue-api-jobs-runs.md
+++ b//glue/latest/dg/aws-glue-api-jobs-runs.md
@@ -219,0 +220,4 @@ For example, when a job run is in a WAITING state as a result of job run queuing
+  * `ExecutionRoleSessionPolicy` – UTF-8 string, not less than 2 or more than 2048 bytes long.
+
+This inline session policy to the StartJobRun API allows you to dynamically restrict the permissions of the specified execution role for the scope of the job, without requiring the creation of additional IAM roles.
+
@@ -456,0 +461,4 @@ The name of an AWS Glue usage profile associated with the job run.
+  * `ExecutionRoleSessionPolicy` – UTF-8 string, not less than 2 or more than 2048 bytes long.
+
+This inline session policy to the StartJobRun API allows you to dynamically restrict the permissions of the specified execution role for the scope of the job, without requiring the creation of additional IAM roles.
+