AWS systems-manager documentation change
Summary
Added warning advising against using aws:SourceIp condition key in Systems Manager Automation policies due to potential unexpected behavior
Security assessment
Proactively addresses potential misconfiguration risks in IAM policies but does not reference a specific existing security vulnerability or incident
Diff
diff --git a/systems-manager/latest/userguide/security-iam.md b/systems-manager/latest/userguide/security-iam.md index 26c19e537..bfa49961f 100644 --- a//systems-manager/latest/userguide/security-iam.md +++ b//systems-manager/latest/userguide/security-iam.md @@ -124,0 +125,4 @@ AWS supports global condition keys and service-specific condition keys. For more +###### Important + +If you use Systems Manager Automation, we recommend you don't use the [aws:SourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) condition key in your policies. The behavior of this condition key is dependent on multiple factors, including whether an IAM role for Automation runbook execution is supplied and the Automation actions used in the runbook. As a result, the condition key can produce unexpected behavior. For this reason, we recommend you don't use it. +