AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2025-11-16 · Documentation low

File: config/latest/developerguide/security-iam-awsmanpol.md

Summary

Expanded documentation of AWSConfigServiceRolePolicy permissions to include detailed service category breakdown and enhanced monitoring capabilities across 100+ AWS services. Added changelog entries about policy updates.

Security assessment

The changes provide more granular documentation about security-relevant permissions (e.g., access-analyzer, auditmanager, cloudtrail) but do not address a specific vulnerability. The update improves transparency about the service role's capabilities rather than fixing a security flaw. While security services are mentioned, there's no evidence this is in response to an incident.

Diff

diff --git a/config/latest/developerguide/security-iam-awsmanpol.md b/config/latest/developerguide/security-iam-awsmanpol.md
index b52bbd525..6cd889d16 100644
--- a//config/latest/developerguide/security-iam-awsmanpol.md
+++ b//config/latest/developerguide/security-iam-awsmanpol.md
@@ -21 +21 @@ AWS Config uses the service-linked role named **AWSServiceRoleForConfig** to cal
-The **AWSServiceRoleForConfig** SLR contains the managed policy `AWSConfigServiceRolePolicy`. This managed policy contains read-only and write-only permissions for AWS Config resources and read-only permissions for resources in other services that AWS Config supports. For more information, see [Supported Resource Types for AWS Config](./resource-config-reference.html) and [Using Service-Linked Roles for AWS Config](./using-service-linked-roles.html).
+The **AWSServiceRoleForConfig** SLR contains the managed policy `AWSConfigServiceRolePolicy`. This managed policy contains read-only and write-only permissions for AWS Config resources and read-only permissions for resources in other services that AWS Config supports. The policy provides comprehensive access to monitor and record configuration changes across your AWS infrastructure, including permissions for over 100 AWS services such as compute, storage, networking, security, analytics, and machine learning services.
@@ -23 +23,102 @@ The **AWSServiceRoleForConfig** SLR contains the managed policy `AWSConfigServic
-View the policy: [AWSConfigServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigServiceRolePolicy.html).
+The policy includes permissions for the following service categories:
+
+  * `access-analyzer` – Allows principals to analyze access patterns and retrieve security findings.
+
+  * `account` – Allows principals to retrieve account contact information.
+
+  * `acm` and `acm-pca` – Allows principals to manage SSL/TLS certificates and private certificate authorities.
+
+  * `airflow` – Allows principals to monitor managed Apache Airflow environments.
+
+  * `amplify` and `amplifyuibuilder` – Allows principals to monitor web applications and UI components.
+
+  * `aoss` – Allows principals to monitor OpenSearch Serverless collections and security configurations.
+
+  * `app-integrations` – Allows principals to monitor application integration configurations.
+
+  * `appconfig` – Allows principals to monitor application configuration deployments.
+
+  * `appflow` – Allows principals to monitor data flow configurations between applications.
+
+  * `application-autoscaling` and `application-signals` – Allows principals to monitor auto-scaling policies and application performance metrics.
+
+  * `appmesh` – Allows principals to monitor service mesh configurations.
+
+  * `apprunner` – Allows principals to monitor containerized web applications and services.
+
+  * `appstream` – Allows principals to monitor application streaming configurations.
+
+  * `appsync` – Allows principals to monitor GraphQL API configurations.
+
+  * `aps` – Allows principals to monitor Prometheus monitoring configurations.
+
+  * `apptest` – Allows principals to monitor application testing configurations.
+
+  * `arc-zonal-shift` – Allows principals to monitor zonal shift configurations for availability.
+
+  * `athena` – Allows principals to monitor query engine configurations and data catalogs.
+
+  * `auditmanager` – Allows principals to monitor audit and compliance assessments.
+
+  * `autoscaling` and `autoscaling-plans` – Allows principals to monitor auto-scaling groups and scaling plans.
+
+  * `b2bi` – Allows principals to monitor business-to-business integration configurations.
+
+  * `backup` and `backup-gateway` – Allows principals to monitor backup policies and gateway configurations.
+
+  * `batch` – Allows principals to monitor batch computing environments and job queues.
+
+  * `bcm-data-exports` – Allows principals to monitor billing and cost management data exports.
+
+  * `bedrock` and `bedrock-agentcore` – Allows principals to monitor foundation models and AI agent configurations.
+
+  * `billingconductor` – Allows principals to monitor billing group configurations.
+
+  * `budgets` – Allows principals to monitor budget configurations and actions.
+
+  * `cassandra` – Allows principals to query managed Cassandra database configurations.
+
+  * `ce` – Allows principals to monitor cost and usage reporting configurations.
+
+  * `cleanrooms` and `cleanrooms-ml` – Allows principals to monitor data collaboration and machine learning configurations.
+
+  * `cloud9` – Allows principals to monitor cloud development environment configurations.
+
+  * `cloudformation` – Allows principals to monitor infrastructure as code stack configurations.
+
+  * `cloudfront` – Allows principals to monitor content delivery network configurations.
+
+  * `cloudtrail` – Allows principals to monitor API logging and audit trail configurations.
+
+  * `cloudwatch` – Allows principals to monitor metrics, alarms, and dashboard configurations.
+
+  * `codeartifact` – Allows principals to monitor software package repository configurations.
+
+  * `codebuild` – Allows principals to monitor build project configurations.
+
+  * `codecommit` – Allows principals to monitor source code repository configurations.
+
+  * `codeconnections` – Allows principals to monitor third-party source connections.
+
+  * `codedeploy` – Allows principals to monitor application deployment configurations.
+
+  * `codeguru-profiler` and `codeguru-reviewer` – Allows principals to monitor code analysis and profiling configurations.
+
+  * `codepipeline` – Allows principals to monitor continuous integration and deployment pipeline configurations.
+
+  * `codestar-connections` – Allows principals to monitor developer tool connections.
+
+  * `cognito-identity` and `cognito-idp` – Allows principals to monitor identity and user pool configurations.
+
+  * `comprehend` – Allows principals to monitor natural language processing configurations.
+
+  * `config` – Allows principals to manage configuration recording and compliance monitoring.
+
+  * `connect` – Allows principals to monitor contact center configurations.
+
+
+
+
+For more information about supported resource types, see [Supported Resource Types for AWS Config](./resource-config-reference.html) and [Using Service-Linked Roles for AWS Config](./using-service-linked-roles.html).
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSConfigServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigServiceRolePolicy.html) in the _AWS Managed Policy Reference Guide_.
@@ -78,0 +180,2 @@ Change | Description | Date
+AWSConfigServiceRolePolicy – Updated managed policy with comprehensive permissions for AWS resource configuration recording across over 100 AWS services including compute, storage, networking, security, analytics, and machine learning services. |  This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all AWS services that AWS Config supports for configuration recording. |  November 11, 2025  
+AWS_ConfigRole – Updated managed policy with comprehensive permissions for AWS resource configuration recording across multiple services including AWS Identity and Access Management, Amazon Elastic Compute Cloud, Amazon Simple Storage Service, AWS Lambda, Amazon Relational Database Service, and many others. |  This policy now supports additional permissions for comprehensive AWS resource configuration recording and monitoring across all supported AWS services. |  November 10, 2025