Updates to cross-region secret replication permissions

The permission requirements for cross-region secret replication in the Secret Management Service have been simplified as follows:

• You're no longer required to add or update IAM policies to include the SECRET_REPLICATE permission for secret replication to function.
• You can delete the SECRET_CREATE permission from the resource principal used for secret replication as it's no longer required.

Review and update applicable IAM permissions if you previously granted the SECRET_CREATE permission to secret resource principals solely for replication purposes. You can safely remove it.

You don't need to change existing IAM policies to include the SECRET_REPLICATE permission in order for secret replication to work. The service now manages this permission automatically.

To learn more about secret replication and required permissions, see Secret Replication in the user guide.