IAM Roles Anywhere now enforces VPC endpoint policies for the CreateSession API
Amazon Identity and Access Management (IAM) Roles Anywhere now provides the capability to configure Virtual Private Cloud (VPC) endpoint policies for the IAM Roles Anywhere CreateSession API. You can update your VPC endpoint policies to allow or deny the CreateSession operation. If CreateSession is not explicitly included in the Allow statement of your VPC endpoint policy or if you don’t allow all operations (for example, by specifying “rolesanywhere:*” as the action), IAM Roles Anywhere will not return temporary Amazon credentials for requests made through your VPC endpoint.
The CreateSession API enables workloads running outside of Amazon to obtain temporary Amazon credentials using X.509 certificates to access Amazon Web Services resources. Previously, VPC endpoint policies applied to all IAM Roles Anywhere API operations except CreateSession. This launch closes that gap, giving you consistent, fine-grained access control across all IAM Roles Anywhere API operations.
IAM Roles Anywhere is available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more, see the IAM Roles Anywhere User Guide.