A number of new features (Endpoint Access Gateway, Medium Duty SDX) have resulted in CDP exercising a set of AWS APIs that were not used earlier. The default cross account role (available via the CDP Documentation) already includes these APIs and no action is required. However, customers who are running a custom cross account role policy may need to update their policy to ensure they have added the following actions. Failure to do so will result in environment creation operations failing.
cloudformation:UpdateStack
cloudformation:ListStackResources
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTargetHealth
elasticloadbalancing:RegisterTargets
elasticloadbalancing:DeregisterTargets
For details on how to find the AWS Cross Account role for your environment, please see the documentation on how to change an environment's credential. For details on finding the Amazon Resource Name of the AWS IAM Role, please see the documentation on modifying a provisioning credential.
