AWS Security ChangesHomeSearch

AWS drs documentation change

Service: drs · 2026-03-19 · Documentation low

File: drs/latest/userguide/security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md

Summary

Expanded documentation of read-only permissions with service-specific details and use case guidance

Security assessment

Adds explicit details about which AWS services and operations are included in read-only access, improving transparency about privilege scope. While not fixing a vulnerability, it enhances security documentation by clarifying least-privilege boundaries for auditors/monitoring teams.

Diff

diff --git a/drs/latest/userguide/security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md b/drs/latest/userguide/security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md
index e0dc9820d..05ed6ee2a 100644
--- a//drs/latest/userguide/security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md
+++ b//drs/latest/userguide/security-iam-awsmanpol-AWSElasticDisasterRecoveryReadOnlyAccess.md
@@ -9 +9,14 @@ You can attach the AWSElasticDisasterRecoveryReadOnlyAccess policy to your IAM i
-This policy provides permissions to all read-only public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as some read-only APIs of IAM, EC2 and SSM in order to list and view installed roles Recovery Instances, Source Servers and post-launch actions. Attach this policy to your users or roles.
+This policy provides permissions to all read-only public APIs of AWS Elastic Disaster Recovery (AWS DRS), as well as some read-only APIs of other AWS services that are required to make full read-only use of the DRS console. This includes:
+
+  * **AWS Elastic Disaster Recovery (read-only)** – View all DRS resources such as Source Servers, Recovery Instances, Recovery Snapshots, and post-launch actions.
+
+  * **IAM (read-only)** – List IAM roles in your account.
+
+  * **EC2 (read-only)** – View EC2 instance details, launch templates, security groups, and subnets related to your recovery environment.
+
+  * **SSM (read-only)** – View Systems Manager configurations such as post-launch action settings and automation executions.
+
+
+
+
+Attach this policy to your users or roles. This policy is ideal for team members who need visibility into your disaster recovery setup, such as auditors or monitoring teams, without the ability to make changes.