AWS IAM Release Notes

IAM removed the iam:DeleteVirtualMFADevice permission from the managed policy.

IAM Access Analyzer added support for permission to retrieve information about Amazon ECR account settings and registry policies to the service-level permissions of of AccessAnalyzerServiceRolePolicy.

IAM added two new policies to scope permissions for privileged root user sessions that you can initiate after you centralize root user access for member accounts in your organization.

You can now manage privileged root user credentials across member accounts in AWS Organizations with centralized root access. Centrally secure the root user credentials of your AWS accounts managed using AWS Organizations to remove and prevent root user credential recovery and access at scale.

IAM Access Analyzer added support to configure analyzers to change the scope of which AWS accounts, IAM users, and roles generate findings.

Use an Organizations resource control policy (RCP) to define the maximum permissions for resources within accounts in your organization or organizational unit (OU). RCPs limit permissions that identity-based and resource-based policies can grant to resources in accounts within your organization.

IAM Access Analyzer added support for permission to retrieve information about IAM user and role tags to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added support for permission to retrieve information about IAM user and role policies to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added support for permission to retrieve the current state of the block public access for Amazon EC2 snapshots to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added DynamoDB streams and tables to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added Amazon S3 directory buckets to the service-level permissions of AccessAnalyzerServiceRolePolicy.

IAM Access Analyzer added IAM actions to the service-level permissions of AccessAnalyzerServiceRolePolicy to support the following actions:

IAM Access Analyzer now provides custom policy checks to validate that IAM policies adhere to your security standards ahead of deployments.

IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings.

IAM Access Analyzer added permissions to IAMAccessAnalyzerReadOnlyAccess to allow you to check whether updates to your policies grant additional access.

IAM now supports action last accessed information and generates policies with action-level information for over 60 additional services, along with a list of the actions for which action last accessed information is available.

IAM now provides action last accessed information for more than 140 services, along with a list of the actions for which action last accessed information is available.

Now you can to add up to eight MFA devices per user, including FIDO security keys, software time-based one-time password (TOTP) with virtual authenticator applications, or hardware TOTP tokens.

IAM Access Analyzer added support for the following resource types:

Removed mentions of U2F as an MFA option and added information about WebAuthn, FIDO2, and FIDO security keys.

Added information about maintaining access to IAM credentials when an event disrupts communication between AWS Regions.

You can now control access to resources based on the account, Organizational Unit (OU), or organization in AWS Organizations that contains your resources. You can use the aws:ResourceAccount, aws:ResourceOrgID, and aws:ResourceOrgPaths global condition keys in an IAM policy.

Added code examples that show how to use IAM with an AWS software development kit (SDK). The examples are divided into code excerpts that show you how to call individual service functions and examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Updates to the policy evaluation logic flow chart and related text in the Determining whether a request is allowed or denied within an account section.

Added information about the impact of resource-based policies and different principal types in the same account.

Added information about creating administrative users instead of using root user credentials, removed the best practice of using IAM groups to assign permissions to IAM users, and clarified when to use managed policies instead of inline policies.

The differences between single-valued and multivalued condition keys are now explained in more detail. The value type was added to each AWS global condition context key.

IAM Access Analyzer updated an existing AWS managed policy.

IAM Access Analyzer identifies Amazon S3 buckets that allow public and cross-account access, including those that use Amazon S3 Multi-Region Access Points.

IAM Access Analyzer can generate IAM policies with action-level access activity information for additional AWS services.

You can now use IAM Access Analyzer to generate fine-grained policies based on your access activity using a AWS CloudTrail trail in a different account, for example, a centralized AWS Organizations trail.