AWS Security ChangesHomeSearch

AWS r53recovery high security documentation change

Service: r53recovery · 2026-07-04 · Security-related high

File: r53recovery/latest/dg/manual-approval-block.md

Summary

Added IAM PassRole requirement for manual approval roles and enhanced validation checks during plan execution

Security assessment

Explicitly requires iam:PassRole permission to prevent privilege escalation risks. Adds validation for role ARN, account ownership, and specific arc-region-switch:ApprovePlanExecutionStep permission to block misconfigurations that could bypass approval workflows.

Diff

diff --git a/r53recovery/latest/dg/manual-approval-block.md b/r53recovery/latest/dg/manual-approval-block.md
index eb48efc57..18c742b3c 100644
--- a//r53recovery/latest/dg/manual-approval-block.md
+++ b//r53recovery/latest/dg/manual-approval-block.md
@@ -14,0 +15,2 @@ To ensure that manual approval is required during plan execution, you input a ma
+The IAM role used to create or update a plan with a manual approval execution block must have `iam:PassRole` permission for the manual approval role.
+
@@ -40 +42 @@ By configuring a manual approval execution block, you can require an approval as
-  * When Region switch runs a manual execution block, it pauses execution and sets the plan's execution status to pending approval.
+  * When Region switch runs a manual approval execution block, it pauses execution and sets the plan's execution status to pending approval.
@@ -53 +55 @@ This block does not support ungraceful execution mode.
-Region switch does not complete any evaluations for manual approval execution blocks.
+When Region switch evaluates your plan, Region switch performs several checks on your manual approval execution block configuration and permissions. Region switch verifies that the configured role is a valid ARN, that the role is for the same account that owns the plan, and that the role has `arc-region-switch:ApprovePlanExecutionStep` permission. If any of the checks fail, Region switch returns warning messages, which you can view in the console. Or, you can receive the validation warnings through or by using API operations.