# AWS Launch Wizard security Security Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud: + **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Launch Wizard, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using AWS Launch Wizard. The following topics show you how to configure Launch Wizard to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Launch Wizard resources. AWS Launch Wizard deploys Amazon EC2 instances into virtual private clouds. For security information for Amazon EC2 and Amazon VPC, see the security sections in the [Amazon EC2 Getting Started Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_Network_and_Security.html) and the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html). This section of the Launch Wizard User Guide provides security information that pertains to AWS Launch Wizard. For security topics specific to AWS Launch Wizard for SQL Server, see [Security groups and firewalls](launch-wizard-best-practices.md#launch-wizard-sql-security). For security topics specific to AWS Launch Wizard for SAP, see [Security groups in AWS Launch Wizard for SAP](launch-wizard-sap-security-groups.md). **Topics** + [ ## Infrastructure security in Launch Wizard ](#infrastructure-security) + [ ## Resilience in Launch Wizard ](#disaster-recovery-resiliency) + [ ## Data protection in Launch Wizard ](#data-protection) + [ ## Identity and Access Management for AWS Launch Wizard ](#identity-access-management) + [ ## Update management in Launch Wizard ](#update-management) + [ # AWS managed policies for AWS Launch Wizard ](security-iam-awsmanpol.md) ## Infrastructure security in Launch Wizard Infrastructure Security As a managed service, AWS Launch Wizard is protected by the AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*. ## Resilience in Launch Wizard Resilience The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/). AWS Launch Wizard sets up an application across multiple Availability Zones to ensure automatic failover between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple datacenter infrastructures. ## Data protection in Launch Wizard Data Protection The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Launch Wizard. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. + Use AWS encryption solutions, along with all default security controls within AWS services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Launch Wizard or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. ### Encryption with AWS managed keys and customer managed keys AWS Launch Wizard for Active Directory, SQL Server, and SAP use the default AWS managed keys to encrypt Amazon EBS volumes. Launch Wizard for SAP also supports the use of customer managed keys that you have already created. If you don't specify a customer managed key, Launch Wizard for SAP automatically creates an AWS managed key in your AWS account. If you want to use a customer managed key for Launch Wizard for SAP, see the steps for adding permissions to your KMS key policy for Launch Wizard to use your KMS key at [Add permissions to use AWS KMS keys](launch-wizard-sap-setting-up.md#launch-wizard-sap-iam-encryption) in the *Launch Wizard for SAP User Guide*. Creating your own customer managed CMK gives you more flexibility and control. For example, you can create, rotate, and disable customer managed keys. You can also define access controls and audit the customer managed keys that you use to protect your data. For more information about customer managed keys and AWS managed keys, see [AWS KMS concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the AWS Key Management Service Developer Guide. ## Identity and Access Management for AWS Launch Wizard Identity and Access Management AWS Launch Wizard uses the following AWS managed policies to grant permissions to users and services. + ** AmazonEC2RolePolicyForLaunchWizard** AWS Launch Wizard creates an IAM role with the name **AmazonEC2RoleForLaunchWizard ** in your account if the role already does not already exist in your account. If the role exists, the role is attached to the instance profile for the Amazon EC2 instances that Launch Wizard will launch into your account. This role is comprised of two IAM managed policies: **AmazonSSMManagedInstanceCore** and **AmazonEC2RolePolicyForLaunchWizard**. When you choose to deploy your SAP application with AWS Backint Agent for SAP HANA, you must attach the IAM inline policy provided in [ Step 2 of the AWS Identity and Access Management documentation for AWS Backint Agent for SAP HANA](https://docs.aws.amazon.com/sap/latest/sap-hana/aws-backint-agent-prerequisites.html#aws-backint-agent-iam). This policy and instructions to attach the policy to the role are provided by Launch Wizard. + **AmazonSSMManagedInstanceCore** This policy enables AWS Systems Manager service core functionality on Amazon EC2. For information, see [Create an IAM Instance Profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html). + **AmazonLaunchWizardFullAccessV2** This policy provides full access to AWS Launch Wizard and other required services. + ** AWSLambdaVPCAccessExecutionRole** This policy provides minimum permissions for a Lambda function to execute while accessing a resource within a VPC. These permissions include create, describe, delete network interfaces, and write permissions to CloudWatch Logs. + **AmazonLambdaRolePolicyForLaunchWizardSAP** This policy provides minimum permissions to enable SAP provisioning scenarios on Launch Wizard. It allows invocation of Lambda functions to be able to perform certain actions, such as validation of route tables and perform pre-configuration and configuration tasks for HA mode enabling. + To run custom pre- and post-configuration deployment scripts, you must manually add the permissions provided in [Add permissions to run custom pre- and post-deployment configuration scripts](launch-wizard-sap-setting-up.md#launch-wizard-sap-iam-scripts) to the `AmazonEC2RoleForLaunchWizard` role. + To save generated artifacts from Launch Wizard for SAP to Amazon S3, and your S3 bucket name does not include the prefix `launchwizard`, you must attach the policy provided in [Add permissions to save deployment artifacts to Amazon S3](launch-wizard-sap-setting-up.md#launch-wizard-sap-iam-s3-artifacts) to the IAM user. + To grant permissions for users to launch AWS Service Catalog products created with Launch Wizard for SAP, follow the steps in [Set up to launch AWS Service Catalog products created with AWS Launch Wizard](launch-wizard-sap-service-catalog-setup.md). + To grant permissions to AWS Service Catalog to create a launch constraint for users who want to launch an AWS Service Catalog product created by Launch Wizard for SAP, follow the steps in [Create a launch constraint](launch-wizard-sap-service-catalog-constraint.md). If you deploy domain controllers into an existing VPC with an existing Active Directory, Launch Wizard for Active Directory requires domain administrator credentials to be added to Secrets Manager in order to join your domain controllers to Active Directory and promote them. In addition, the following resource policy must be attached to the secret so that Launch Wizard can access the secret. Launch Wizard guides you through the process of attaching the required policy to your secret. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/service-role/AmazonEC2RoleForLaunchWizard" }, "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:GetRandomPassword" ], "Resource": "*" } ] } ``` ------ ## Update management in Launch Wizard Update Management We recommend that you regularly patch, update, and secure the operating system and applications on your EC2 instances. You can use [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html) to automate the process of installing security-related updates for both the operating system and applications. Alternatively, you can use any automatic update services or recommended processes for installing updates that are provided by the application vendor. # AWS managed policies for AWS Launch Wizard AWS managed policies An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. **Topics** + [AmazonLaunchWizardFullAccessV2](#security-iam-awsmanpol-AmazonLaunchWizardFullAccessV2) + [AmazonEC2RolePolicyForLaunchWizard](#security-iam-awsmanpol-AmazonEC2RolePolicyForLaunchWizard) + [Policy updates](#security-iam-awsmanpol-updates) ## AWS managed policy: AmazonLaunchWizardFullAccessV2 AmazonLaunchWizardFullAccessV2 You can attach the `AmazonLaunchWizardFullAccessV2` policy to your IAM identities. This policy grants administrative permissions that allow full access to AWS Launch Wizard and other required services. To view the managed policy content, see the [AmazonLaunchWizardFullAccessV2](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonLaunchWizardFullAccessV2.html) page in the *AWS Managed Policy Reference Guide*. **Permissions details** This policy includes the following permissions. + `launchwizard` – Allows all Launch Wizard actions. + `applicationinsights` – Allows all CloudWatch Application Insights actions. This permission is required so that an application can be tracked and configured by CloudWatch Application Insights, which provides Launch Wizard with more visibility and insight into the service through functionality such as monitoring and data analysis. + `route53` – Allows changing and listing resource record sets, listing hosted zones, and listing hosted zones by name. This is required so that scripts running on instances in your account for SAP deployments can perform these actions. + `s3` – Allows all get or list operations for all resources, and allows for creation, deletion, and getting objects from a bucket, and putting objects in a bucket for certain Launch Wizard and SAP resources. This is required so that the Launch Wizard service can both view and update buckets and contents in Amazon S3 for tasks such as reading and storing scripts that are run on instances in its deployments. + `kms` – Allows listing all AWS KMS keys and aliases. This is required so that Launch Wizard can view keys and aliases in your account. + `cloudwatch` – Allows all get, list, or describe actions for all resources, and allows Launch Wizard alarms and instance profiles to be created, updated, deleted, or described. This is required so that Launch Wizard can create and manage alarms to track metrics. + `ec2` – Allows creation of all security groups, authorization of ingress rules for all security groups, all get or describe operations, and creation of all VPCs, NAT/internet gateways, subnets, routes/route tables, and key pairs. Allows instances from the CloudFormation stacks in Launch Wizard deployments to be stopped or terminated. Allows anything called from the Launch Wizard endpoint to perform other Amazon EC2 actions. This is required so that all EC2-related resources deployed from the Launch Wizard CloudFormation stacks can be appropriately created and managed. + `cloudformation` – Allows all Launch Wizard and CloudWatch Application Insights CloudFormation stacks to be described and listed. Allows all get operations, all resources to be signaled, and all Launch Wizard stacks to be deleted. Allows all stacks to be created, and allows describe account limits, describe stack drift detection status, all list operations, and tagging of resources with all tag keys, starting with "LaunchWizard". This is required so that Launch Wizard can create CloudFormation stacks in your account, so that the stacks are appropriately signaled, and so that you can view and delete those stacks. + `iam` – Allows Launch Wizard EC2 roles and instance profiles to be created and deleted and attached/detached. Allows Launch Wizard EC2 and AWS Lambda roles and instance profiles to be passed a role as long as it is passed to Lambda or EC2. Allows get operations for all roles or policies, all list operations, and all roles linked to Amazon EC2 Auto Scaling, CloudWatch Application Insights, or Amazon EventBridge to be created. This is required so that Launch Wizard can create necessary roles and attach the appropriatepolicies to them to ensure that resources in the Launch Wizard CloudFormation stacks and elsewhere in the service have the appropriate permissions. + `autoscaling` – Allows Launch Wizard Auto Scaling groups, launch configurations, and associated tags, to be created, deleted, and updated. This is required so that the Launch Wizard SQL CloudFormation stacks can perform these actions for the RDGW nodes in its deployments. + `logs` – Allows log groups with names beginning with `LaunchWizard` to be created and deleted. Allows log streams, log events, and tags to be created, listed, and deleted for log groups with names that begin with `LaunchWizard`. This is required so that Launch Wizard can publish logs to your account so that a you can view the events from their deployments. + `sns` – Allows Launch Wizard Amazon SNS topics to be created, deleted, subscribed to, and unsubscribed from. Allows all Amazon SNS subscriptions to be listed and messages to be published. This is required so that the Launch Wizard Amazon SNS queues to send signals between resources and Launch Wizard Lambda functions know when to proceed with steps in their event-based workflows. + `resource-groups` – Allows resource groups whose names begin with "LaunchWizard" to be created, deleted, or listed. This is required so that Launch Wizard resources can be grouped together in a resource group, and so that the groups can be viewed or deleted. + `ds` – Allows creation and deletion of a Microsoft Active Directory, adding IP routes, and all describe operations. This is required so that Active Directories can be created, deleted, and viewed in Launch Wizard SQL Server deployments, and so that IP routes can be added to them. + `sqs` – Allows all queues with "SQS" in the name to be tagged, listed, created, and deleted. Allows any queue attributes to be set and read, and for the queue URL to be read and permissions added. This is required so that Launch Wizard SAP deployments can have a queue in the deployment on which these actions can be performed. + `elasticfilesystem` – Allows all Amazon Elastic File System (Amazon EFS) resources, and associated tags, to be created, deleted, and described. Allows mount targets to be created, deleted, and described. This is required so that Launch Wizard SAP deployments can create file systems in your account with the appropriate mount targets. + `lambda` – Allows AWS Lambda functions with "LaunchWizard" in the name to be created, deleted, read, and invoked. This is required so that Launch Wizard SAP deployments can perform some Lambda functions at the end of CloudFormation stacks for configuration in your account or for parameter validation. + `dynamodb` – Allows all tables with a name starting with "LaunchWizard" to be created, deleted, or described. This is required so that Launch Wizard scripts for SAP can publish events and metadata from the events of the running threads into a Amazon DynamoDB table in your account. + `secretsmanager` – Allows all secrets with a name starting with "LaunchWizard" to be created, deleted, retrieved, and restored, all resources to be tagged or untagged, all resource policies to be created and deleted, secret version IDs to be listed, and secret values to be updated. Allows all random passwords to be generated and all secrets to be listed. This is required so that secrets can be created in your account to perform operations, such as decrypting a password in order to RDP into an instance from their deployment. + `fsx` – Allows Amazon FSx file systems to be created by Launch Wizard. Allows describing file system properties, listing all tags on the Amazon FSx file share, adding and removing tags. Allows deleting file systems and volumes where tags include `LaunchWizard` in the CloudFormation stack-id tag. + `servicecatalog` – Allows for the creation of AWS Service Catalog portfolios, products, and launch constraints. Allows for associated tags to be created and deleted. Allows for the association between a product and portfolio, and also the association between the IAM principal of a user and a portfolio. + `ssm` – Allows for all get, list, tag, execute, and delete operations for all SSM resources. This is required so that Launch Wizard can create, run, and delete SSM resources on your behalf to configure your Amazon EC2 instances for application provisioning. Allows Launch Wizard to create and delete associations using the `AWS-ConfigureAWSPackage` document, which allows AWS Data Provider for SAP installations. **Note** `arn:aws:s3:::launchwizard*` and `“arn:aws:s3:::launchwizard*/*` are redundant permissions. Both permissions are present for historical purposes and do not impact security. ## AWS managed policy: AmazonEC2RolePolicyForLaunchWizard AmazonEC2RolePolicyForLaunchWizard This policy grants administrative permissions that allow all AWS Launch Wizard actions to be performed. To view the managed policy content, see the [AmazonEC2RolePolicyForLaunchWizard](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2RolePolicyForLaunchWizard.html) page in the *AWS Managed Policy Reference Guide*. **Permissions details** This policy includes the following permissions. + `launchwizard` – Allows all Launch Wizard actions. + `ec2` – Allows starting, stopping, and rebooting instances, and attaching volumes to all instances with the `LaunchWizardResourceGroupID` tag. Allows replacing route table for all instances with the `LaunchWizardApplicationType` resource tag. Allows all resources to describe and associate IP addresses, describe instances, images, Regions, volumes, and route tables, and modify instance attributes for all resources. Allows creating tags and volumes for all resources with the `LaunchWizardResourceType` or `LaunchWizardResourceGroupID` tags. + `cloudwatch` – Allows for getting and writing metrics to CloudWatch. This is required so that CloudWatch can write logs for all resources. + `s3` – Allows all get or list operations for all resources, and allows for creation, deletion, and getting objects from a bucket, and putting objects in a bucket for certain Launch Wizard and SAP resources. This is required so that the Launch Wizard service can both view and update buckets and contents in Amazon S3 for tasks such as reading and storing scripts that are run on instances in its deployments. + `ssm` – Allows send commands to all Amazon EC2 instances with the `LaunchWizardApplicationType` resource tag. Allows getting a document. These actions are required to run the Backint install agent SSM document for SAP. + `logs` – Allows all log groups or log streams for all write and read log events. This is required so that Launch Wizard can publish logs to your account so that you can view the events from their deployments. + `cloudformation` – Allows all Launch Wizard and CloudWatch Application Insights CloudFormation stacks to be described and listed. Allows all get operations and for all resources to be signaled. This is required so that the stacks are appropriately signaled by CloudFormation. + `dynamodb` – Allows all tables with a name starting with "LaunchWizard" to be created, deleted, or described. This is required so that Launch Wizard scripts for SAP can publish events and metadata from the events of the running threads into a Amazon DynamoDB table in your account. + `sqs` – Allows sending and receiving messages from Amazon SQS queues. This is required so that Launch Wizard SAP deployments can have a queue in the deployment on which these actions can be performed. + `iam` – Allows Launch Wizard EC2 roles and instance profiles to be created and deleted and attached/detached. Allows Launch Wizard EC2 and AWS Lambda roles and instance profiles to be passed a role as long as it is passed to Lambda or EC2. Allows get operations for all roles or policies, all list operations, and all roles linked to Amazon EC2 Auto Scaling, CloudWatch Application Insights, or Amazon EventBridge to be created. This is required so that Launch Wizard can create necessary roles and attach the appropriate policies to them to ensure that resources in the Launch Wizard CloudFormation stacks and elsewhere in the service have the appropriate permissions. + `fsx` – Allows describing file systems and listing tags on file systems on any Amazon FSx resource tagged with the `LaunchWizard` tag. This is required so that Launch Wizard can retrieve the FSX DNS and administration endpoints to create the FCI SQL cluster. ## AWS Launch Wizard updates to AWS managed policies Policy updates View details about updates to AWS managed policies for AWS Launch Wizard since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Launch Wizard Document history page. | Change | Description | Date | | --- | --- | --- | | [AmazonEC2RolePolicyForLaunchWizard](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2RolePolicyForLaunchWizard.html) – Policy update | AWS Launch Wizard added a new permission to the policy for the `InstallBackintForAWSBackup` Systems Manager document. It enables the Systems Manager document to install AWS Backint agent for AWS Backup. | September 25, 2024 | | [AmazonLaunchWizardFullAccessV2](#security-iam-awsmanpol-AmazonLaunchWizardFullAccessV2) – New policy | AWS Launch Wizard added this new policy to replace the AmazonLaunchWizard\$1Fullaccess policy. This policy grants administrative permissions that allow full access to Launch Wizard and other required services. | September 1, 2023 | | AmazonLaunchWizard\$1Fullaccess – Policy deprecation | This policy has been replaced by AmazonLaunchWizardFullAccessV2. | August 23, 2023 | | AmazonLaunchWizard\$1Fullaccess – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | February 23, 2023 | | AmazonLaunchWizard\$1Fullaccess – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | January 12, 2023 | | [AmazonEC2RolePolicyForLaunchWizard](#security-iam-awsmanpol-AmazonEC2RolePolicyForLaunchWizard) – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | May 17, 2022 | | AmazonLaunchWizard\$1Fullaccess – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | April 12, 2022 | | AmazonLaunchWizard\$1Fullaccess – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | February 9, 2022 | | **AmazonLambdaRoleForLaunchWizard** – Policy deprecation | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | February 7, 2022 | | [AmazonEC2RolePolicyForLaunchWizard](#security-iam-awsmanpol-AmazonEC2RolePolicyForLaunchWizard) – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | February 7, 2022 | | AmazonLaunchWizard\$1Fullaccess – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | August 30, 2021 | | [AmazonEC2RolePolicyForLaunchWizard](#security-iam-awsmanpol-AmazonEC2RolePolicyForLaunchWizard) – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | May 21 2021 | | AmazonLaunchWizard\$1Fullaccess – Update to an existing policy | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/security-iam-awsmanpol.html) | April 30, 2021 | | AWS Launch Wizard started tracking changes | AWS Launch Wizard started tracking changes for its AWS managed policies. | April 30, 2021 |