AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-11-22 · Documentation low

File: IAM/latest/UserGuide/access_policies_job-functions.md

Summary

Added new 'MCP service actions full access' job function documentation and updated URLs/policy references

Security assessment

The change adds documentation for a new AWSMcpServiceActionsFullAccess policy which controls access to AWS MCP services. While this relates to security permissions, there's no evidence of addressing a specific vulnerability. The URL updates are cosmetic fixes without security implications.

Diff

diff --git a/IAM/latest/UserGuide/access_policies_job-functions.md b/IAM/latest/UserGuide/access_policies_job-functions.md
index aa9e8b2c4..0946aa787 100644
--- a//IAM/latest/UserGuide/access_policies_job-functions.md
+++ b//IAM/latest/UserGuide/access_policies_job-functions.md
@@ -5 +5 @@
-Administrator job functionBilling job functionDatabase administrator job functionData scientist job functionDeveloper power user job functionNetwork administrator job functionRead-only accessSecurity auditor job functionSupport user job functionSystem administrator job functionView-only user job functionPolicy updates
+Administrator job functionBilling job functionDatabase administrator job functionData scientist job functionDeveloper power user job functionNetwork administrator job functionRead-only accessMCP service actions full accessSecurity auditor job functionSupport user job functionSystem administrator job functionView-only user job functionPolicy updates
@@ -35 +35 @@ In the following sections, each policy's name is a link to the policy details pa
-**Policy description:** This policy grants all actions for all AWS services and for all resources in the account. For more information about the managed policy, see [AdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants all actions for all AWS services and for all resources in the account. For more information about the managed policy, see [AdministratorAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AdministratorAccess.html) in _AWS Managed Policy Reference Guide_.
@@ -49 +49 @@ Before an IAM user or role can access the AWS Billing and Cost Management consol
-**Policy description:** This policy grants full permissions for managing billing, costs, payment methods, budgets, and reports. For additional cost management policy examples, see [AWS Billing policy examples](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-example-policies.html) in the _AWS Billing and Cost Management User Guide_. For more information about the managed policy, see [Billing](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/Billing.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants full permissions for managing billing, costs, payment methods, budgets, and reports. For additional cost management policy examples, see [AWS Billing policy examples](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-example-policies.html) in the _AWS Billing and Cost Management User Guide_. For more information about the managed policy, see [Billing](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/Billing.html) in _AWS Managed Policy Reference Guide_.
@@ -63 +63 @@ Before an IAM user or role can access the AWS Billing and Cost Management consol
-**Policy description:** This policy grants permissions to create, configure, and maintain databases. It includes access to AWS database services, such as Amazon DynamoDB, Amazon Relational Database Service (RDS), and Amazon Redshift. View the policy for the full list of database services that this policy supports. For more information about the managed policy, see [DatabaseAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/DatabaseAdministrator.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants permissions to create, configure, and maintain databases. It includes access to AWS database services, such as Amazon DynamoDB, Amazon Relational Database Service (RDS), and Amazon Redshift. View the policy for the full list of database services that this policy supports. For more information about the managed policy, see [DatabaseAdministrator](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/DatabaseAdministrator.html) in _AWS Managed Policy Reference Guide_.
@@ -85 +85 @@ Allow your applications running on Amazon EC2 instances to access your AWS resou
-**Policy description:** This policy grants permissions to create, manage, and run queries on an Amazon EMR cluster and perform data analytics with tools such as Amazon QuickSight. The policy includes access to additional data scientist services, such as AWS Data Pipeline, Amazon EC2, Amazon Kinesis, Amazon Machine Learning, and SageMaker AI. View the policy for the full list of data scientist services that this policy supports. For more information about the managed policy, see [DataScientist](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/DataScientist.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants permissions to create, manage, and run queries on an Amazon EMR cluster and perform data analytics with tools such as Amazon QuickSight. The policy includes access to additional data scientist services, such as AWS Data Pipeline, Amazon EC2, Amazon Kinesis, Amazon Machine Learning, and SageMaker AI. View the policy for the full list of data scientist services that this policy supports. For more information about the managed policy, see [DataScientist](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/DataScientist.html) in _AWS Managed Policy Reference Guide_.
@@ -115 +115 @@ Allow your applications running on Amazon EC2 instances to access your AWS resou
-**Policy description:** This policy grants permissions to create and maintain network resources in Auto Scaling, Amazon EC2, AWS Direct Connect, Route 53, Amazon CloudFront, Elastic Load Balancing, AWS Elastic Beanstalk, Amazon SNS, CloudWatch, CloudWatch Logs, Amazon S3, IAM, and Amazon Virtual Private Cloud. For more information about the managed policy, see [NetworkAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/NetworkAdministrator.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants permissions to create and maintain network resources in Amazon EC2 Auto Scaling, Amazon EC2, AWS Direct Connect, Route 53, Amazon CloudFront, Elastic Load Balancing, AWS Elastic Beanstalk, Amazon SNS, CloudWatch, CloudWatch Logs, Amazon S3, IAM, and Amazon Virtual Private Cloud. For more information about the managed policy, see [NetworkAdministrator](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/NetworkAdministrator.html) in _AWS Managed Policy Reference Guide_.
@@ -135 +135,11 @@ This user will also have access to read data in storage services like Amazon S3
-**Policy description:** This policy grants permissions to list, get, describe, and otherwise view resources and their attributes. It does not include mutating functions like create or delete. This policy does include read-only access to security-related AWS services, such as AWS Identity and Access Management and AWS Billing and Cost Management. View the policy for the full list of services and actions that this policy supports. For more information about the managed policy, see [ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html) in _AWS Managed Policy Reference Guide_. If you need a similar policy that does not grant access to read data in storage services, see View-only user job function.
+**Policy description:** This policy grants permissions to list, get, describe, and otherwise view resources and their attributes. It does not include mutating functions like create or delete. This policy does include read-only access to security-related AWS services, such as AWS Identity and Access Management and AWS Billing and Cost Management. View the policy for the full list of services and actions that this policy supports. For more information about the managed policy, see [ReadOnlyAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/ReadOnlyAccess.html) in _AWS Managed Policy Reference Guide_. If you need a similar policy that does not grant access to read data in storage services, see View-only user job function.
+
+## MCP service actions full access
+
+**AWS managed policy name:** [AWSMcpServiceActionsFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSMcpServiceActionsFullAccess)
+
+**Use case:** This user requires access to AWS services using AWS MCP servers. This policy does not grant access to actions taken by an MCP service to other AWS services.
+
+**Policy updates:** AWS maintains and updates this policy. For a history of changes for this policy, view the policy in the IAM console and then choose the **Policy versions** tab. For more information about job function policy updates, see Updates to AWS managed policies for job functions.
+
+**Policy description:** This policy grants permissions to call any AWS MCP service action. You can use when you do not need to specify permissions per AWS MCP service. It does not grant permissions to actions taken by the MCP service to other AWS services, those permissions must always be granted separately and in addition to MCP service actions. For more information about the managed policy, see [AWSMcpServiceActionsFullAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AWSMcpServiceActionsFullAccess.html) in _AWS Managed Policy Reference Guide_.
@@ -145 +155 @@ This user will also have access to read data in storage services like Amazon S3
-**Policy description:** This policy grants permissions to view configuration data for many AWS services and to review their logs. For more information about the managed policy, see [SecurityAudit](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants permissions to view configuration data for many AWS services and to review their logs. For more information about the managed policy, see [SecurityAudit](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/SecurityAudit.html) in _AWS Managed Policy Reference Guide_.
@@ -155 +165 @@ This user will also have access to read data in storage services like Amazon S3
-**Policy description:** This policy grants permissions to create and update Support cases. For more information about the managed policy, see [AWSSupportAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSupportAccess.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants permissions to create and update Support cases. For more information about the managed policy, see [AWSSupportAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/AWSSupportAccess.html) in _AWS Managed Policy Reference Guide_.
@@ -165 +175 @@ This user will also have access to read data in storage services like Amazon S3
-**Policy description:** This policy grants permissions to create and maintain resources across a large variety of AWS services, including AWS CloudTrail, Amazon CloudWatch, AWS CodeCommit, AWS CodeDeploy, AWS Config, AWS Directory Service, Amazon EC2, AWS Identity and Access Management, AWS Key Management Service, AWS Lambda, Amazon RDS, Route 53, Amazon S3, Amazon SES, Amazon SQS, AWS Trusted Advisor, and Amazon VPC. For more information about the managed policy, see [SystemAdministrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SystemAdministrator.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants permissions to create and maintain resources across a large variety of AWS services, including AWS CloudTrail, Amazon CloudWatch, AWS CodeCommit, AWS CodeDeploy, AWS Config, AWS Directory Service, Amazon EC2, AWS Identity and Access Management, AWS Key Management Service, AWS Lambda, Amazon RDS, Route 53, Amazon S3, Amazon SES, Amazon SQS, AWS Trusted Advisor, and Amazon VPC. For more information about the managed policy, see [SystemAdministrator](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/SystemAdministrator.html) in _AWS Managed Policy Reference Guide_.
@@ -184 +194 @@ Allow Lambda to read DynamoDB streams and write to CloudWatch Logs | [lambda-sys
-**Policy description:** This policy grants `List*`, `Describe*`, `Get*`, `View*`, and `Lookup*` access to resources for AWS services. To see what actions this policy includes for each service, see [ViewOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess). For more information about the managed policy, see [ViewOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ViewOnlyAccess.html) in _AWS Managed Policy Reference Guide_.
+**Policy description:** This policy grants `List*`, `Describe*`, `Get*`, `View*`, and `Lookup*` access to resources for AWS services. To see what actions this policy includes for each service, see [ViewOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/ViewOnlyAccess). For more information about the managed policy, see [ViewOnlyAccess](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/ViewOnlyAccess.html) in _AWS Managed Policy Reference Guide_.