From 413f75ce5bc7b5f9443f4ea708c27e6599ef09ff Mon Sep 17 00:00:00 2001
From: vbedi <vbedi@amazon.com>
Date: Thu, 23 Oct 2025 23:47:11 +0000
Subject: [PATCH] Update recommended inline policy and documentation

---
 docs/guides/additional-tags.md                               | 3 ++-
 files/controller-installation/recommended-inline-policy.json | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/guides/additional-tags.md b/docs/guides/additional-tags.md
index d07b3af9..749ba3ff 100644
--- a/docs/guides/additional-tags.md
+++ b/docs/guides/additional-tags.md
@@ -39,7 +39,8 @@ For the additional tags functionality to work properly, the IAM role linked to t
     "Effect": "Allow",
     "Action": [
         "tag:TagResources",
-        "tag:UntagResources"
+        "tag:UntagResources",
+        "tag:GetResources"
     ],
     "Resource": "*"
 }
diff --git a/files/controller-installation/recommended-inline-policy.json b/files/controller-installation/recommended-inline-policy.json
index 6741747e..488ea647 100644
--- a/files/controller-installation/recommended-inline-policy.json
+++ b/files/controller-installation/recommended-inline-policy.json
@@ -20,7 +20,9 @@
                 "tag:GetResources",
                 "firehose:TagDeliveryStream",
                 "s3:GetBucketPolicy",
-                "s3:PutBucketPolicy"
+                "s3:PutBucketPolicy",
+                "tag:TagResources",
+                "tag:UntagResources"
             ],
             "Resource": "*"
         },