AWS Security ChangesHomeSearch

AWS vm-import documentation change

Service: vm-import · 2026-05-07 · Documentation medium

File: vm-import/latest/userguide/required-permissions.md

Summary

Added requirement for iam:PassRole permission and example policy statement

Security assessment

The change emphasizes proper IAM role delegation (iam:PassRole) which is a security best practice for service roles, preventing privilege escalation risks. No specific vulnerability is mentioned.

Diff

diff --git a/vm-import/latest/userguide/required-permissions.md b/vm-import/latest/userguide/required-permissions.md
index 8f4a309b3..2cb941a2e 100644
--- a//vm-import/latest/userguide/required-permissions.md
+++ b//vm-import/latest/userguide/required-permissions.md
@@ -25,0 +26,4 @@ Your users, groups, and roles need the following permissions in their IAM policy
+###### Important
+
+VM Import/Export validates that you have `iam:PassRole` permission for the role specified in the `RoleName` parameter, or for the default `vmimport` role if none is specified. Ensure that your IAM policy grants `iam:PassRole` on the role ARN you intend to use. For more information, see [Grant a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the _IAM User Guide_.
+
@@ -82,0 +87,5 @@ JSON
+        },
+        {
+          "Effect": "Allow",
+          "Action": "iam:PassRole",
+          "Resource": "arn:aws:iam::*:role/vmimport"