AWS IAM Release Notes

You can now manage privileged root user credentials across member accounts in AWS Organizations with centralized root access. Centrally secure the root user credentials of your AWS accounts managed using AWS Organizations to remove and prevent root user credential recovery and access at scale.

IAM added two new policies to scope permissions for privileged root user sessions that you can initiate after you centralize root user access for member accounts in your organization.

IAM Access Analyzer added support to configure analyzers to change the scope of which AWS accounts, IAM users, and roles generate findings.

Use an Organizations resource control policy (RCP) to define the maximum permissions for resources within accounts in your organization or organizational unit (OU). RCPs limit permissions that identity-based and resource-based policies can grant to resources in accounts within your organization.

IAM Access Analyzer added support for permission to retrieve information about IAM user and role tags to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added support for permission to retrieve information about IAM user and role policies to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added support for permission to retrieve the current state of the block public access for Amazon EC2 snapshots to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added DynamoDB streams and tables to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added Amazon S3 directory buckets to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer now provides custom policy checks to validate that IAM policies adhere to your security standards ahead of deployments.

IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings.

IAM Access Analyzer added IAM actions to the service-level permissions of AccessAnalyzerServiceRolePolicy to support the following actions:

IAM Access Analyzer added permissions to IAMAccessAnalyzerReadOnlyAccess to allow you to check whether updates to your policies grant additional access.

IAM now supports action last accessed information and generates policies with action-level information for over 60 additional services, along with a list of the actions for which action last accessed information is available.

IAM now provides action last accessed information for more than 140 services, along with a list of the actions for which action last accessed information is available.

Now you can to add up to eight MFA devices per user, including FIDO security keys, software time-based one-time password (TOTP) with virtual authenticator applications, or hardware TOTP tokens.

IAM Access Analyzer added support for the following resource types:

Removed mentions of U2F as an MFA option and added information about WebAuthn, FIDO2, and FIDO security keys.

Added information about maintaining access to IAM credentials when an event disrupts communication between AWS Regions.

You can now control access to resources based on the account, Organizational Unit (OU), or organization in AWS Organizations that contains your resources. You can use the aws:ResourceAccount, aws:ResourceOrgID, and aws:ResourceOrgPaths global condition keys in an IAM policy.

Added code examples that show how to use IAM with an AWS software development kit (SDK). The examples are divided into code excerpts that show you how to call individual service functions and examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Updates to the policy evaluation logic flow chart and related text in the Determining whether a request is allowed or denied within an account section.

Added information about the impact of resource-based policies and different principal types in the same account.

Added information about creating administrative users instead of using root user credentials, removed the best practice of using IAM groups to assign permissions to IAM users, and clarified when to use managed policies instead of inline policies.

The differences between single-valued and multivalued condition keys are now explained in more detail. The value type was added to each AWS global condition context key.

IAM Access Analyzer updated an existing AWS managed policy.

IAM Access Analyzer identifies Amazon S3 buckets that allow public and cross-account access, including those that use Amazon S3 Multi-Region Access Points.

IAM Access Analyzer can generate IAM policies with action-level access activity information for additional AWS services.

You can now use IAM Access Analyzer to generate fine-grained policies based on your access activity using a AWS CloudTrail trail in a different account, for example, a centralized AWS Organizations trail.

IAM Access Analyzer extended policy validation by adding new policy checks that validate conditions included in IAM policies. These checks analyze the condition block in your policy statement and report security warnings, errors, and suggestions along with actionable recommendations.

You can now view action last accessed information in the IAM console about the last time an IAM principal used an action for the following services: Amazon EC2, IAM, Lambda, and Amazon S3 management actions. You can also use the AWS CLI or AWS API to retrieve a data report. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege.