AWS vm-import documentation change
Summary
Added requirement for iam:PassRole permission and example policy statement
Security assessment
The change emphasizes proper IAM role delegation (iam:PassRole) which is a security best practice for service roles, preventing privilege escalation risks. No specific vulnerability is mentioned.
Diff
diff --git a/vm-import/latest/userguide/required-permissions.md b/vm-import/latest/userguide/required-permissions.md index 8f4a309b3..2cb941a2e 100644 --- a//vm-import/latest/userguide/required-permissions.md +++ b//vm-import/latest/userguide/required-permissions.md @@ -25,0 +26,4 @@ Your users, groups, and roles need the following permissions in their IAM policy +###### Important + +VM Import/Export validates that you have `iam:PassRole` permission for the role specified in the `RoleName` parameter, or for the default `vmimport` role if none is specified. Ensure that your IAM policy grants `iam:PassRole` on the role ARN you intend to use. For more information, see [Grant a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_. + @@ -82,0 +87,5 @@ JSON + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/vmimport"