AWS systems-manager-automation-runbooks documentation change
Summary
Added documentation for S3BucketLog and runCommandAssumeRole parameters requiring IAM permissions for command execution logging
Security assessment
Documents security-related parameters for proper IAM role configuration and S3 access controls, but does not indicate a specific vulnerability being fixed
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-patch-load-balancer-instance.md b/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-patch-load-balancer-instance.md index e131601a4..c3a01dd0d 100644 --- a/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-patch-load-balancer-instance.md +++ b/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-patch-load-balancer-instance.md @@ -56,0 +57,12 @@ Description: (Optional) The connection draining time of the load balancer, in mi + * **S3BucketLog** + +Type: String + +Description: (Optional) The name of the Amazon S3 bucket to use to store the command output responses. You can specify a bucket that you own or a bucket that is shared with you. If you provide this parameter, you must also provide **runCommandAssumeRole**. + + * **runCommandAssumeRole** + +Type: String + +Description: (Optional) The ARN of the IAM role to use to run the command on the instance. The role must have a trust relationship with the `ssm.amazonaws.com` service principal, it must have the **AmazonSSMManagedInstanceCore** policy attached, and it must have write permissions for the Amazon S3 bucket specified for **S3BucketLog**. +