edit

bmcelvee · bmcelvee · commit 23c8aea6081f · 2025-03-28T15:28:02.000-04:00
diff --git a/authentication/rosa-aws-managed-policy-reference.adoc b/authentication/rosa-aws-managed-policy-reference.adoc
@@ -1,13 +1,12 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="rosa-aws-managed-policy-reference"]
-= AWS roles and managed policy reference 
+= AWS managed policies and roles reference guide
 include::_attributes/common-attributes.adoc[]
 :context: rosa-aws-managed-policy-reference
 
 toc::[]
 
-The roles and policies used by {product-title} (ROSA)
-can be divided into account-wide roles and policies and Operator roles and policies.
+The roles and AWS managed policies used by {product-title} (ROSA) can be divided into account-wide roles and policies and Operator roles and policies.
 
 The policies determine the allowed actions for each of the roles.
 ifdef::openshift-rosa[]
@@ -17,10 +16,10 @@ ifdef::openshift-rosa-hcp[]
 See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources] for more details about the individual roles and policies. See xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-hcp-prepare-iam-roles-resources[Required IAM roles and resources] for more details on preparing these resources in your cluster.
 endif::openshift-rosa-hcp[]
 
-link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS managed policies] are created and administered by AWS. The permissions defined within the AWS managed policies cannot be changed. They are used as part of the AWS STS security process that you can use to assign permissions to users, groups, and roles.
-
 [NOTE]
 ====
+link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS managed policies] are created and administered by AWS. The permissions defined within the AWS managed policies cannot be changed. They are used as part of the AWS STS security process that you can use to assign permissions to users, groups, and roles.
+
 If the permissions defined in an AWS managed policy are updated by AWS, the update will apply to all users, groups, and roles related to the policy. 
 ====
 
diff --git a/modules/rosa-roles-and-policies.adoc b/modules/rosa-roles-and-policies.adoc
@@ -4,33 +4,68 @@
 
 :_mod-docs-content-type: REFERENCE
 [id="rosa-roles-and-policies_{context}"]
-= ROSA AWS managed policies and roles
+= AWS managed policies and roles
 
-.Account-wide AWS-managed policies
+[id="aws-managed-policies"]
+== Account-wide AWS managed policies
+
+.AWS managed policies
+[options="header",cols="2*"]
+|===
+| Policy 
+| Description 
 
 ifdef::openshift-rosa-hcp[]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAManageSubscription.html[ROSAManageSubscription]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAInstallerPolicy.html[ROSAInstallerPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAWorkerInstancePolicy.html[ROSAWorkerInstancePolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASRESupportPolicy.html[ROSASRESupportPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAIngressOperatorPolicy.html[ROSAIngressOperatorPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy.html[ROSAAmazonEBSCSIDriverOperatorPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy.html[ROSACloudNetworkConfigOperatorPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAControlPlaneOperatorPolicy.html[ROSAControlPlaneOperatorPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAImageRegistryOperatorPolicy.html[ROSAImageRegistryOperatorPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy.html[ROSAKMSProviderPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy.html[ROSAKubeControllerPolicy]
-* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSANodePoolManagementPolicy.html[ROSANodePoolManagementPolicy]
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAManageSubscription.html[`ROSAManageSubscription`]
+| `ROSAManageSubscription` grants the AWS Marketplace permissions required for you to manage the ROSA subscription.
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAWorkerInstancePolicy.html[ROSAWorkerInstancePolicy]
+| You must have the ROSA worker AWS Identity Access Management (IAM) role with `ROSAWorkerInstancePolicy` attached before creating a cluster. 
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASRESupportPolicy.html[ROSASRESupportPolicy]
+| You must attach `ROSASRESupportPolicy` to a support IAM role before creating a cluster. `ROSASRESupportPolicy` grants required permissions to Red Hat site reliability engineers (SREs) to directly observe, diagnose, and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state.
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAInstallerPolicy.html[ROSAInstallerPolicy]
+| You must attach `ROSAInstallerPolicy` to an IAM role named `<prefix>-ROSA-Worker-Role` before creating a cluster. `ROSAInstallerPolicy` allows the addition of any role that follows the `<prefix>-ROSA-Worker-Role` pattern to an instance profile. `ROSAInstallerPolicy` grants required permissions to the installer to manage AWS resources that support ROSA cluster installation.
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAIngressOperatorPolicy.html[ROSAIngressOperatorPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy.html[ROSAAmazonEBSCSIDriverOperatorPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy.html[ROSACloudNetworkConfigOperatorPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAControlPlaneOperatorPolicy.html[ROSAControlPlaneOperatorPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAImageRegistryOperatorPolicy.html[ROSAImageRegistryOperatorPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy.html[ROSAKMSProviderPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy.html[ROSAKubeControllerPolicy]
+| describe
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSANodePoolManagementPolicy.html[ROSANodePoolManagementPolicy]
+| describe
+
+|===
+
+For the full `JSON` information for the AWS managed policies, see the link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html[AWS Managed Policy Reference guide]. 
 endif::openshift-rosa-hcp[]
 
 ifdef::openshift-rosa[]
-For the full `JSON` information for the following policies, see link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-support-policy[the AWS _ROSA classic account policies_ documentation].
+For the full `JSON` information for the following policies, see the link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-support-policy[AWS _ROSA classic account policies_ documentation].
 
 * link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-installer-policy[<prefix>-Installer-Role-Policy]
 * link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-control-plane-policy[<prefix>-ControlPlane-Role-Policy]
 * link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-worker-policy[<prefix>-Worker-Role-Policy]
 * link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-support-policy[<Prefix>-Support-Role-Policy]
 endif::openshift-rosa[]
+|===
 
 .Operator roles
 
