IAM Roles Anywhere now enforces VPC endpoint policies for the CreateSession API

Amazon Web Services has enhanced its IAM Roles Anywhere service to enforce Virtual Private Cloud endpoint policies for the CreateSession API, closing a significant security gap in access control. Previously, VPC endpoint policies applied to all IAM Roles Anywhere API operations except CreateSession, which enables workloads running outside of AWS to obtain temporary credentials using X.509 certificates. This inconsistency meant organizations couldn't fully control access to credential generation through their VPC endpoints. With this update, administrators can now configure VPC endpoint policies to explicitly allow or deny the CreateSession operation. If CreateSession is not explicitly included in the Allow statement of a VPC endpoint policy, or if administrators don't allow all operations using wildcards like "rolesanywhere:*", the service will refuse to return temporary AWS credentials for requests made through the VPC endpoint. The enhancement provides consistent, fine-grained access control across all IAM Roles Anywhere API operations and is available in all AWS regions where the service operates, including GovCloud and sovereign cloud regions.