Iam roles anywhere now applies VPC endpoint policies to CreateSession API
AWS IAM Roles Anywhere now supports VPC endpoint policies for the CreateSession API, allowing users to manage access control more precisely. This update is available across all AWS Regions where IAM Roles Anywhere operates.
AWS Identity and Access Management (IAM) Roles Anywhere has introduced a new feature that allows users to set Virtual Private Cloud (VPC) endpoint policies specifically for the CreateSession API. This update enables users to configure their VPC endpoint policies to either permit or restrict the CreateSession operation. If the CreateSession action is not specified in the Allow statement of the VPC endpoint policy, or if a blanket permission for all operations (such as specifying “rolesanywhere:*” as the action) is not granted, IAM Roles Anywhere will not provide temporary AWS credentials for requests made through the VPC endpoint.
The CreateSession API is a critical tool that allows workloads operating outside of AWS to acquire temporary AWS credentials using X.509 certificates, which are then used to access AWS resources. Prior to this update, VPC endpoint policies were applicable to all IAM Roles Anywhere API operations except for CreateSession. This latest enhancement addresses that inconsistency, offering users comprehensive and precise access control over all IAM Roles Anywhere API operations.
This feature is now accessible in all AWS Regions where IAM Roles Anywhere is offered, including the AWS GovCloud (US) Regions, AWS European Sovereign Cloud (Germany) Region, and China Regions. For further details, users are encouraged to consult the IAM Roles Anywhere User Guide.