AWS rosa documentation change
Summary
Updated ROSAControlPlaneOperatorPolicy to add permissions for tagging Red Hat-managed security groups and modifying VPC endpoints with security groups
Security assessment
This change documents updates to an AWS managed IAM policy for ROSA (Red Hat OpenShift Service on AWS). The changes add permissions for resource lifecycle management and fix VPCE reconciliation failures during cluster upgrades. While IAM policies are security-related, there is no evidence this addresses a specific security vulnerability - it appears to be routine policy maintenance for operational functionality.
Diff
diff --git a/rosa/latest/userguide/security-iam-awsmanpol.md b/rosa/latest/userguide/security-iam-awsmanpol.md index 320f3f208..24b445299 100644 --- a//rosa/latest/userguide/security-iam-awsmanpol.md +++ b//rosa/latest/userguide/security-iam-awsmanpol.md @@ -309,0 +310,4 @@ This policy includes the following permissions that allow the Control Plane Oper + * Added tags to RedHatManagedSecurityGroups: Allows the Control Plane Operator to tag Red Hat-managed security groups after creation. This is required for proper resource lifecycle management and cleanup of security groups associated with ROSA with HCP clusters. + + * Added security-group/* to ManageVPCEndpointWithCondition: Fixes VPCE reconciliation failures during cluster upgrades. The operator needs permission to modify VPC endpoints that reference security groups. + @@ -320,0 +325 @@ Change | Description | Date +ROSAControlPlaneOperatorPolicy — Policy updated | ROSA updated the policy to allow tagging of Red Hat-managed security groups for proper resource lifecycle management and to add security-group/* to ManageVPCEndpointWithCondition to fix VPCE reconciliation failures during cluster upgrades. To learn more, see AWS managed policy: ROSAControlPlaneOperatorPolicy. | April 9, 2026