AWS Security ChangesHomeSearch

AWS apprunner documentation change

Service: apprunner · 2025-09-19 · Documentation low

File: apprunner/latest/dg/security_iam_service-with-iam.md

Summary

Added JSON examples for IAM policies including service-linked role creation, role passing permissions, and trust policies for App Runner roles

Security assessment

The changes add concrete IAM policy examples that help users configure secure access controls. While this improves security documentation, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/apprunner/latest/dg/security_iam_service-with-iam.md b/apprunner/latest/dg/security_iam_service-with-iam.md
index 7a07cc552..71b7653fa 100644
--- a//apprunner/latest/dg/security_iam_service-with-iam.md
+++ b//apprunner/latest/dg/security_iam_service-with-iam.md
@@ -140,0 +141,68 @@ For examples of user policies, see [User policies](./security_iam_id-based-polic
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "apprunner:List*",
+            "apprunner:Describe*"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+    
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "iam:CreateServiceLinkedRole",
+          "Resource": [
+          "arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner",
+          "arn:aws:iam::*:role/aws-service-role/networking.apprunner/AWSServiceRoleForAppRunnerNetworking"
+          ],
+          "Condition": {
+            "StringLike": {
+            "iam:AWSServiceName": [
+              "apprunner.amazonaws.com",
+                "networking.apprunner.amazonaws.com"
+              ]
+            }
+          }
+        },
+        {
+          "Effect": "Allow",
+          "Action": "iam:PassRole",
+          "Resource": "*",
+          "Condition": {
+            "StringLike": {
+              "iam:PassedToService": "apprunner.amazonaws.com"
+            }
+          }
+        },
+        {
+          "Sid": "AppRunnerAdminAccess",
+          "Effect": "Allow",
+          "Action": "apprunner:*",
+          "Resource": "*"
+        }
+      ]
+    }
+    
+
@@ -191,0 +260,21 @@ When you create your access role, be sure to add a trust policy that declares th
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "build.apprunner.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    
+
@@ -201,0 +291,21 @@ When you create your instance role, be sure to add a trust policy that declares
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "tasks.apprunner.aws.com"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    
+