AWS Security ChangesHomeSearch

AWS config documentation change

Service: config · 2026-05-10 · Documentation low

File: config/latest/developerguide/DocumentHistory.md

Summary

Added new NZISM conformance packs documentation and updated multiple existing entries by replacing 'Amazon Connect' with 'Connect Customer' in IAM policy updates and resource type listings.

Security assessment

The change adds documentation for NZISM conformance packs, which are security compliance frameworks, and updates IAM policy permissions. While IAM policies are security-related, there is no evidence of a specific vulnerability being fixed. The renaming of 'Amazon Connect' to 'Connect Customer' appears to be a branding update without security implications.

Diff

diff --git a/config/latest/developerguide/DocumentHistory.md b/config/latest/developerguide/DocumentHistory.md
index dc24a7539..93751545e 100644
--- a//config/latest/developerguide/DocumentHistory.md
+++ b//config/latest/developerguide/DocumentHistory.md
@@ -21,0 +22,8 @@ Change| Description| Date
+AWS Config updates NZISM conformance packs| With this release, AWS Config supports the following conformance packs:
+
+  * [NZISM (v3.9) Control mapping to AWS Managed Config Rules Extension](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism-extension.html)
+  * [NZISM (v3.9) Control mapping to AWS Managed Config Rules Foundation](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism-foundation.html)
+  * [NZISM (v3.9) Control mapping to AWS Managed Config Rules NZ Transition](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nzism-nztransition.html)
+
+| May 7, 2026  
+Security IAM updates| The `AWSConfigServiceRolePolicy` and `AWS_ConfigRole` policies now grant additional permissions for bedrock, bedrock-agentcore, cloudtrail, cloudwatch, connect, dynamodb, elasticloadbalancing, lambda, license-manager, redshift, s3, s3express, and sagemaker services. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| May 5, 2026  
@@ -204 +212 @@ AWS Config supports new conformance pack| With this release, AWS Config supports
-Security IAM updates| The `AWSConfigServiceRolePolicy` and `AWS_ConfigRole` policies now grants additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| October 1, 2025  
+Security IAM updates| The `AWSConfigServiceRolePolicy` and `AWS_ConfigRole` policies now grants additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, CloudFormation, AWS CodeArtifact, AWS CodePipeline, Connect Customer, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| October 1, 2025  
@@ -554 +562 @@ AWS Config updates managed rules| With this release, AWS Config supports the fol
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for AWS AppConfig, AWS CloudTrail, Amazon Connect, Amazon DataZone, Amazon DevOps Guru, AWS Glue, Identity Store, AWS IoT, AWS IoT FleetWise, AWS IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, AWS Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, AWS Systems Manager, and Amazon VPC Lattice. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html). | November 8, 2024  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for AWS AppConfig, AWS CloudTrail, Amazon Connect Customer, Amazon DataZone, Amazon DevOps Guru, AWS Glue, Identity Store, AWS IoT, AWS IoT FleetWise, AWS IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, AWS Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, AWS Systems Manager, and Amazon VPC Lattice. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html). | November 8, 2024  
@@ -708 +716 @@ The following pages in the developer guide are updated:
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon Cognito, Amazon Connect, Amazon EMR, AWS Ground Station, AWS Mainframe Modernization, Amazon MemoryDB, AWS Organizations, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, AWS Service Catalog, and AWS Transfer Family.The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy also now add security identifiers (SID) for `AWSConfigServiceRolePolicyStatementID`, `AWSConfigSLRLogStatementID`, `AWSConfigSLRLogEventStatementID`, `AWSConfigSLRApiGatewayStatementID`, and `AWSConfigServiceRolePolicy` policy.For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| November 17, 2023  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon Cognito, Amazon Connect Customer, Amazon EMR, AWS Ground Station, AWS Mainframe Modernization, Amazon MemoryDB, AWS Organizations, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, AWS Service Catalog, and AWS Transfer Family.The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy also now add security identifiers (SID) for `AWSConfigServiceRolePolicyStatementID`, `AWSConfigSLRLogStatementID`, `AWSConfigSLRLogEventStatementID`, `AWSConfigSLRApiGatewayStatementID`, and `AWSConfigServiceRolePolicy` policy.For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| November 17, 2023  
@@ -728 +736 @@ AWS Config updates managed rules| With this release, AWS Config supports the fol
-AWS Config supports new resources types| With this release, you can use AWS Config to record configuration changes to new AWS Identity and Access Management (IAM), AWS Network Manager, AWS Private Certificate Authority (AWS Private CA), AWS App Mesh, Amazon Connect, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), AWS IoT, AWS IoT TwinMaker, Amazon Managed Streaming for Apache Kafka Connect (Amazon MSK Connect), AWS Lambda, and AWS Resource Explorer resource types. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).| November 3, 2023  
+AWS Config supports new resources types| With this release, you can use AWS Config to record configuration changes to new AWS Identity and Access Management (IAM), AWS Network Manager, AWS Private Certificate Authority (AWS Private CA), AWS App Mesh, Connect Customer, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), AWS IoT, AWS IoT TwinMaker, Amazon Managed Streaming for Apache Kafka Connect (Amazon MSK Connect), AWS Lambda, and AWS Resource Explorer resource types. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).| November 3, 2023  
@@ -731 +739 @@ Compliance and Inventory Dashboards for Aggregators| With this release, AWS Conf
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for AWS Private CA, AWS App Mesh, Amazon Connect, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, AWS IoT, AWS IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), AWS Lambda, AWS Network Manager, AWS Organizations, and Amazon SageMaker AI. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| October 4, 2023  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for AWS Private CA, AWS App Mesh, Connect Customer, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, AWS IoT, AWS IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), AWS Lambda, AWS Network Manager, AWS Organizations, and Amazon SageMaker AI. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| October 4, 2023  
@@ -780,2 +788,2 @@ AWS Config supports new resources types| With this release, you can use AWS Conf
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon Managed Workflows for AWS App Mesh, Amazon WorkSpaces Applications, AWS CloudFormation, Amazon CloudFront AWS CodeArtifact, AWS CodeBuild, Amazon Connect, AWS Glue, Amazon GuardDuty, AWS Identity and Access Management (IAM), Amazon Inspector, AWS IoT, AWS IoT TwinMaker, AWS IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, AWS Network Manager, AWS Organizations, AWS Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service (Amazon SNS), and Amazon EC2 Systems Manager (SSM). For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| July 28, 2023  
-AWS Config supports new resources types| With this release, you can use AWS Config to record configuration changes to new Amazon Kinesis, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Simple Storage Service (Amazon S3), Amazon Virtual Private Cloud (Amazon VPC), Amazon Kendra, Amazon Connect, AWS CloudFormation, AWS AppConfig, AWS App Mesh, AWS App Runner, and AWS Database Migration Service (AWS DMS) resource types. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).| July 10, 2023  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon Managed Workflows for AWS App Mesh, Amazon WorkSpaces Applications, AWS CloudFormation, Amazon CloudFront AWS CodeArtifact, AWS CodeBuild, Amazon Connect Customer, AWS Glue, Amazon GuardDuty, AWS Identity and Access Management (IAM), Amazon Inspector, AWS IoT, AWS IoT TwinMaker, AWS IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, AWS Network Manager, AWS Organizations, AWS Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service (Amazon SNS), and Amazon EC2 Systems Manager (SSM). For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| July 28, 2023  
+AWS Config supports new resources types| With this release, you can use AWS Config to record configuration changes to new Amazon Kinesis, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Simple Storage Service (Amazon S3), Amazon Virtual Private Cloud (Amazon VPC), Amazon Kendra, Amazon Connect Customer, AWS CloudFormation, AWS AppConfig, AWS App Mesh, AWS App Runner, and AWS Database Migration Service (AWS DMS) resource types. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).| July 10, 2023  
@@ -783 +791 @@ Service limits increase for organization conformance packs| With this release, A
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon Managed Workflows for AWS Amplify, Amazon Connect, AWS App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, AWS Batch, AWS CloudFormation, AWS CloudTrail, AWS CodeArtifact, Amazon CodeGuru, AWS Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, AWS Organizations, AWS IoT Greengrass, AWS Ground Station, AWS Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka(Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon Quick, AWS Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, and AWS Transfer Family. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| June 13, 2023  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon Managed Workflows for AWS Amplify, Amazon Connect Customer, AWS App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, AWS Batch, AWS CloudFormation, AWS CloudTrail, AWS CodeArtifact, Amazon CodeGuru, AWS Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, AWS Organizations, AWS IoT Greengrass, AWS Ground Station, AWS Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka(Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon Quick, AWS Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, and AWS Transfer Family. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| June 13, 2023  
@@ -843 +851 @@ AWS Config updates managed rules| With this release, AWS Config supports the fol
-AWS Config supports new resources types| With this release, you can use AWS Config to record configuration changes to new Amazon WorkSpaces Applications, AWS Auto Scaling, Amazon Connect Amazon Elastic Compute Cloud, Amazon EventBridge, HealthLake, Kinesis video stream, AWS IoT TwinMaker, Lookout for Vision, Network Manager, Amazon Pinpoint, Amazon Application Recovery Controller (ARC), and AWS RoboMaker resource types. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).| April 3, 2023  
+AWS Config supports new resources types| With this release, you can use AWS Config to record configuration changes to new Amazon WorkSpaces Applications, AWS Auto Scaling, Connect Customer Amazon Elastic Compute Cloud, Amazon EventBridge, HealthLake, Kinesis video stream, AWS IoT TwinMaker, Lookout for Vision, Network Manager, Amazon Pinpoint, Amazon Application Recovery Controller (ARC), and AWS RoboMaker resource types. For more information, see [Supported Resource Types](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).| April 3, 2023  
@@ -922 +930 @@ The following conformance packs are updated:
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| October 19, 2022  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Connect Customer, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| October 19, 2022  
@@ -950 +958 @@ AWS Config supports new conformance pack| With this release, AWS Config supports
-Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| September 7, 2022  
+Security IAM update| The `AWSConfigServiceRolePolicy` policy and `AWS_ConfigRole` policy now grant additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Customer Profiles, Amazon Connect Customer Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family. For more information, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html).| September 7, 2022