Iam roles anywhere now enforces VPC endpoint policies for the createsession API
AWS IAM Roles Anywhere now supports configuring VPC endpoint policies for the CreateSession API, allowing for refined access control.
AWS Identity and Access Management (IAM) Roles Anywhere has introduced the ability to configure Virtual Private Cloud (VPC) endpoint policies specifically for the IAM Roles Anywhere CreateSession API. This update allows users to modify their VPC endpoint policies to either permit or restrict the CreateSession operation. To ensure the CreateSession operation is executed, it must be explicitly included in the Allow statement of your VPC endpoint policy, or you must permit all operations by specifying “rolesanywhere:*” as the action. Without these specifications, IAM Roles Anywhere will not provide temporary AWS credentials for requests processed through your VPC endpoint.
The CreateSession API is a critical component that enables workloads operating outside of AWS to acquire temporary AWS credentials using X.509 certificates, thereby facilitating access to AWS resources. Previously, VPC endpoint policies were applicable to all IAM Roles Anywhere API operations with the exception of CreateSession. The recent update addresses this discrepancy, ensuring consistent and detailed access control across all IAM Roles Anywhere API operations.
This new feature is accessible in all AWS Regions where IAM Roles Anywhere is available, including the AWS GovCloud (US) Regions, AWS European Sovereign Cloud (Germany) Region, and China Regions. For more detailed information, users are encouraged to consult the IAM Roles Anywhere User Guide.