AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-04-16 · Documentation low

File: systems-manager/latest/userguide/security-iam.md

Summary

Added warning advising against using aws:SourceIp condition key in Systems Manager Automation policies due to potential unexpected behavior

Security assessment

Proactively addresses potential misconfiguration risks in IAM policies but does not reference a specific existing security vulnerability or incident

Diff

diff --git a/systems-manager/latest/userguide/security-iam.md b/systems-manager/latest/userguide/security-iam.md
index 26c19e537..bfa49961f 100644
--- a//systems-manager/latest/userguide/security-iam.md
+++ b//systems-manager/latest/userguide/security-iam.md
@@ -124,0 +125,4 @@ AWS supports global condition keys and service-specific condition keys. For more
+###### Important
+
+If you use Systems Manager Automation, we recommend you don't use the [aws:SourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) condition key in your policies. The behavior of this condition key is dependent on multiple factors, including whether an IAM role for Automation runbook execution is supplied and the Automation actions used in the runbook. As a result, the condition key can produce unexpected behavior. For this reason, we recommend you don't use it.
+