AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2025-04-01 · Security-related medium

File: systems-manager/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Replaced custom policy example with guidance to use AWS managed policies

Security assessment

Promotes use of AWS managed security policies (AmazonSSMFullAccess/ReadOnlyAccess), improving security best practices documentation.

Diff

diff --git a/systems-manager/latest/userguide/security_iam_id-based-policy-examples.md b/systems-manager/latest/userguide/security_iam_id-based-policy-examples.md
index 6f613a4d0..500f6eb9a 100644
--- a/systems-manager/latest/userguide/security_iam_id-based-policy-examples.md
+++ b/systems-manager/latest/userguide/security_iam_id-based-policy-examples.md
@@ -71,39 +70,0 @@ To access the Systems Manager console, you must have a minimum set of permission
-To fully use Systems Manager in the Systems Manager console, you must have permissions from the following services:
-
-  * AWS Systems Manager
-
-  * Amazon Elastic Compute Cloud (Amazon EC2)
-
-  * AWS Identity and Access Management (IAM)
-
-
-
-
-You can grant the required permissions with the following policy statement.
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ssm:*",
-                    "ec2:describeInstances",
-                    "iam:ListRoles"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": "iam:PassRole",
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "iam:PassedToService": "ssm.amazonaws.com"
-                    }
-                }
-            }
-        ]
-    }
-
@@ -113,0 +75,2 @@ You don't need to allow minimum console permissions for users that are making ca
+To ensure that users and roles can still use the Systems Manager console, also attach the [AmazonSSMFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMFullAccess.html) or [AmazonSSMReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMReadOnlyAccess.html) AWS managed policy to the entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the _IAM User Guide_.
+