Iam roles anywhere introduces VPC endpoint policy enforcement for CreateSession API
AWS IAM Roles Anywhere now allows configuration of VPC endpoint policies for the CreateSession API, enabling fine-grained access control across API operations.
AWS Identity and Access Management (IAM) Roles Anywhere has introduced a new feature that allows users to configure Virtual Private Cloud (VPC) endpoint policies specifically for the IAM Roles Anywhere CreateSession API. This update enables users to update their VPC endpoint policies to explicitly allow or deny the CreateSession operation.
Previously, VPC endpoint policies applied to all IAM Roles Anywhere API operations except for CreateSession. With this new enhancement, if the CreateSession operation is not explicitly included in the Allow statement of your VPC endpoint policy, or if you do not permit all operations (for example, by specifying ‘rolesanywhere:*’ as the action), IAM Roles Anywhere will not provide temporary AWS credentials for requests made through your VPC endpoint.
The CreateSession API is crucial as it allows workloads that are running outside of AWS to obtain temporary AWS credentials using X.509 certificates to access AWS resources. This new capability ensures consistent and fine-grained access control across all IAM Roles Anywhere API operations.
This feature is now available in all AWS Regions where IAM Roles Anywhere is available, including the AWS GovCloud (US) Regions, AWS European Sovereign Cloud (Germany) Region, and China Regions. For more information, users are encouraged to refer to the IAM Roles Anywhere User Guide.