AWS rosa documentation change
Summary
Updated terminology to standardize references to IAM roles, added new ROSASharedVPCRoute53Policy and ROSASharedVPCEndpointPolicy for shared VPC configurations, and expanded ROSAInstallerPolicy permissions for Capacity Reservations and tag management
Security assessment
The changes introduce two new security policies (ROSASharedVPCRoute53Policy and ROSASharedVPCEndpointPolicy) that define granular permissions for DNS and VPC endpoint management in shared environments, which adds security documentation. The ROSAInstallerPolicy update includes new permissions for infrastructure management but does not indicate remediation of a vulnerability. Terminology changes are administrative improvements without security implications.
Diff
diff --git a/rosa/latest/userguide/security-iam-awsmanpol.md b/rosa/latest/userguide/security-iam-awsmanpol.md index f9f57c166..c0d72398c 100644 --- a//rosa/latest/userguide/security-iam-awsmanpol.md +++ b//rosa/latest/userguide/security-iam-awsmanpol.md @@ -17 +17 @@ You cannot change the permissions defined in AWS managed policies. If AWS update -You can attach the `ROSAManageSubscription` policy to your IAM entities. Before you enable ROSA in the AWS ROSA console, you must first attach this policy to a console role. +You can attach the `ROSAManageSubscription` policy to your IAM entities. Before you enable ROSA in the AWS ROSA console, you must first attach this policy to an IAM role. @@ -46 +46 @@ AWS managed policies are intended for use by ROSA with hosted control planes (HC -You can attach `ROSAWorkerInstancePolicy` to your IAM entities. Before creating a cluster, you must have the ROSA worker IAM role with this policy attached. A ROSA service makes calls to other AWS services on your behalf. They do this to manage the resources that you use with each cluster. +You can attach `ROSAWorkerInstancePolicy` to your IAM entities. Before creating a cluster, you must have an IAM role with this policy attached. A ROSA service makes calls to other AWS services on your behalf. They do this to manage the resources that you use with each cluster. @@ -65 +65 @@ You can attach `ROSASRESupportPolicy` to your IAM entities. -Before you create a ROSA with hosted control planes cluster, you must first attach this policy to a support IAM role. This policy grants required permissions to Red Hat site reliability engineers (SREs) to directly observe, diagnose, and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state. +Before you create a ROSA with hosted control planes cluster, you must first attach this policy to an IAM role. This policy grants required permissions to Red Hat site reliability engineers (SREs) to directly observe, diagnose, and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state. @@ -100 +100 @@ This policy includes the following permissions that allow the installer to compl - * `ec2` — Run Amazon EC2 instances using AMIs hosted in AWS accounts owned and managed by Red Hat. Describe Amazon EC2 instances, volumes, and network resources associated with Amazon EC2 nodes. This permission is required so that the Kubernetes control plane can join instances to a cluster, and the cluster can evaluate its presence within Amazon VPC. Tag subnets using tag keys matching `"kubernetes.io/cluster/*"`. This is required to ensure that the load balancer used for cluster ingress is created only in applicable subnets. + * `ec2` — Run Amazon EC2 instances using AMIs hosted in AWS accounts owned and managed by Red Hat. Describe Amazon EC2 instances, volumes, and network resources associated with Amazon EC2 nodes. This permission is required so that the Kubernetes control plane can join instances to a cluster, and the cluster can evaluate its presence within Amazon VPC. Inspect Amazon EC2 Capacity Reservations to support the new Capacity Reservations feature in ROSA. Tag and delete tags on subnets using tag keys matching `"kubernetes.io/cluster/*"`. This is required to ensure that the load balancer used for cluster ingress is created only in applicable subnets and to manage Kubernetes cluster identification tags. @@ -120,0 +121,36 @@ To view the full JSON policy document, see [ROSAInstallerPolicy](https://docs.aw +### AWS managed policy: ROSASharedVPCRoute53Policy + +You can attach `ROSASharedVPCRoute53Policy` to your IAM entities. You must attach this policy to an IAM role to allow a ROSA cluster to make calls to other AWS services in shared VPC environments. + +This policy allows the ROSA installer to configure Route 53 records. This policy is intended to be used on a shared VPC and provides a subset of Route 53 permissions tailored for shared VPC use cases. + +**Permissions details** + +This policy includes the following permissions that allow the ROSA installer to complete the following tasks: + + * `route53` — Read DNS zone information and existing DNS records to understand the current DNS configuration. Create, modify, and delete DNS records, but only for specific ROSA-related domain patterns including `.hypershift.local`, `.openshiftapps.com`, `.devshift.org`, `.openshiftusgov.com`, and `.devshiftusgov.com`. Add, modify, or remove tags on Route 53 resources for resource management and organization. + + * `tag` — Discover and list AWS resources based on their tags, which is useful for identifying resources managed by ROSA. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [ROSASharedVPCRoute53Policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASharedVPCRoute53Policy.html) in the _AWS Managed Policy Reference Guide_. + +### AWS managed policy: ROSASharedVPCEndpointPolicy + +You can attach `ROSASharedVPCEndpointPolicy` to your IAM entities. You must attach this policy to an IAM role to allow a ROSA cluster to make calls to other AWS services in shared VPC environments. + +This policy allows the ROSA installer to configure VPC endpoints and security groups in shared VPC environments. + +**Permissions details** + +This policy includes the following permissions that allow the ROSA installer to complete the following tasks: + + * `ec2` — Read-only permissions to describe VPC-related resources including VPC endpoints, VPCs, and security groups to understand the network environment. Create, delete, and modify security groups with tag-based restrictions, enabling ROSA to create and manage security groups for cluster networking while restricting operations to only ROSA-tagged resources. Create, modify, and delete VPC endpoints with tag-based restrictions, allowing ROSA to create and manage VPC endpoints for private connectivity to AWS services in shared VPC environments. Apply tags to newly created VPC endpoints and security groups during creation for proper resource identification and management. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [ROSASharedVPCEndpointPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASharedVPCEndpointPolicy.html) in the _AWS Managed Policy Reference Guide_. + @@ -284,0 +321,3 @@ Change | Description | Date +ROSASharedVPCEndpointPolicy — New policy added | ROSA added a new policy to allow the ROSA installer to configure VPC endpoints and security groups in shared VPC environments. This policy provides a subset of EC2 permissions tailored for shared VPC use cases. To learn more, see AWS managed policy: ROSASharedVPCEndpointPolicy. | August 7, 2025 +ROSASharedVPCRoute53Policy — New policy added | ROSA added a new policy to allow the ROSA installer to configure Route 53 records in shared VPC environments. This policy provides a subset of Route 53 permissions tailored for shared VPC use cases. To learn more, see AWS managed policy: ROSASharedVPCRoute53Policy. | August 7, 2025 +ROSAInstallerPolicy — Policy updated | ROSA updated the policy to allow the ROSA installer to inspect Amazon EC2 Capacity Reservations to support the new Capacity Reservations feature in ROSA. This update also allows the installer to delete tags on subnets using tag keys matching `"kubernetes.io/cluster/*"` for improved Kubernetes cluster tag management. To learn more, see AWS managed policy: ROSAInstallerPolicy. | August 7, 2025