AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2026-06-10 · Documentation low

File: IAM/latest/UserGuide/access_policies.md

Summary

Added documentation for two new policy types: VPC endpoint policies and AWS RAM resource shares. Updated policy type count from seven to nine, and added detailed explanations for both new policy types.

Security assessment

The change adds documentation for VPC endpoint policies which act as an additional access boundary for traffic traversing VPC endpoints, explicitly describing security controls. However, there's no evidence this addresses a specific vulnerability or incident - it documents new capabilities. AWS RAM resource shares documentation also covers secure resource sharing but doesn't reference any security fixes.

Diff

diff --git a/IAM/latest/UserGuide/access_policies.md b/IAM/latest/UserGuide/access_policies.md
index 1bfc2ceb4..17171d674 100644
--- a//IAM/latest/UserGuide/access_policies.md
+++ b//IAM/latest/UserGuide/access_policies.md
@@ -11 +11 @@ Policy typesPolicies and the root userOverview of JSON policiesGrant least privi
-Manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports seven types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policies (SCPs), AWS Organizations resource control policies (RCPs), access control lists (ACLs), and session policies.
+Manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports nine types of policies: identity-based policies, resource-based policies, VPC endpoint policies, permissions boundaries, AWS Organizations service control policies (SCPs), AWS Organizations resource control policies (RCPs), access control lists (ACLs), Resource Access Manager shares (RAM) and session policies.
@@ -22,0 +23,2 @@ The following policy types, listed in order from most frequently used to less fr
+  * **VPC endpoint policies** – Attach to a VPC endpoint to control which principals can use the VPC endpoint policies and which resources can be accessed through it. VPC endpoint policies act as an additional access boundary scoped to traffic that traverses the endpoint.
+
@@ -30,0 +33,2 @@ The following policy types, listed in order from most frequently used to less fr
+  * **AWS RAM resource shares** – Use AWS Resource Access Manager to share resources across AWS accounts, organizational units, or an entire organization without writing individual resource-based policies for each shared resource.
+
@@ -62,0 +67,4 @@ To see which other services support resource-based policies, see [AWS services t
+### VPC endpoint policies
+
+A VPC endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which principals can use the endpoint and which resources can be accessed through it. VPC endpoint policies do not override or replace identity-based policies or resource-based policies attached to the destination service—they act as an additional access boundary scoped to traffic that traverses the endpoint. VPC endpoint policies are used to ensure that only trusted identities in your AWS Organizations organization can access trusted resources through your VPC endpoints. If you do not attach a custom endpoint policy, AWS attaches a default policy that allows full access. For more information about endpoint policies, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the _AWS PrivateLink Guide_.
+
@@ -82,0 +91,4 @@ Access control lists (ACLs) are service policies that allow you to control which
+### AWS Resource Access Manager (AWS RAM) resource shares
+
+AWS Resource Access Manager (AWS RAM) lets you share resources you create in one AWS account with other AWS accounts, organizational units, or an entire organization in AWS Organizations, without writing individual resource-based policies for each shared resource. While you can grant cross-account access by attaching a resource-based policy directly to a resource, AWS RAM provides a managed, centralized alternative that eliminates the need to enumerate account IDs in policies or maintain identical policy documents across accounts. With RAM, consuming accounts see shared resources natively in their service consoles, resource owners retain full ownership and visibility into who has access, and managed permissions define the maximum actions consumers can perform—all governed by a single resource share rather than per-resource policies. Common use cases include sharing VPC subnets, AWS Transit Gateway attachments, Route 53 Resolver rules, and License Manager configurations across accounts. For more information, see [What is AWS Resource Access Manager?](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) in the _AWS RAM User Guide_.
+
@@ -93 +105 @@ A resource-based policy can specify the ARN of the user or role as a principal.
-![Evaluation of the session policy with a resource-based policy specifying the entity ARN](/images/IAM/latest/UserGuide/images/EffectivePermissions-session-rbp-id.png)
+![Evaluation of the session policy with a resource-based policy specifying the entity ARN.](/images/IAM/latest/UserGuide/images/EffectivePermissions-session-rbp-id.png)
@@ -97 +109 @@ A resource-based policy can specify the ARN of the session as a principal. In th
-![Evaluation of the session policy with a resource-based policy specifying the session ARN](/images/IAM/latest/UserGuide/images/EffectivePermissions-session-rbpsession-id.png)
+![Evaluation of the session policy with a resource-based policy specifying the session ARN.](/images/IAM/latest/UserGuide/images/EffectivePermissions-session-rbpsession-id.png)
@@ -101 +113 @@ A permissions boundary can set the maximum permissions for a user or role that i
-![Evaluation of the session policy with a permissions boundary](/images/IAM/latest/UserGuide/images/EffectivePermissions-session-boundary-id.png)
+![Evaluation of the session policy with a permissions boundary.](/images/IAM/latest/UserGuide/images/EffectivePermissions-session-boundary-id.png)
@@ -128 +140 @@ Each statement includes information about a single permission. If a policy inclu
-![JSON policy document structure](/images/IAM/latest/UserGuide/images/AccessPolicyLanguage_General_Policy_Structure.diagram.png)
+![JSON policy document structure.](/images/IAM/latest/UserGuide/images/AccessPolicyLanguage_General_Policy_Structure.diagram.png)