AWS Security ChangesHomeSearch

AWS ram medium security documentation change

Service: ram · 2025-05-01 · Security-related medium

File: ram/latest/userguide/shareable.md

Summary

Updated AWS Systems Manager section to include deny-access policy documentation for just-in-time node access control

Security assessment

Added documentation for a deny-access policy that explicitly prevents auto-approval of access requests to nodes. This directly relates to security controls for just-in-time access management, which helps prevent unauthorized access.

Diff

diff --git a/ram/latest/userguide/shareable.md b/ram/latest/userguide/shareable.md
index 6811952f0..6578e2031 100644
--- a//ram/latest/userguide/shareable.md
+++ b//ram/latest/userguide/shareable.md
@@ -5 +5 @@
-AWS App MeshAWS AppSync GraphQL APIAmazon API GatewayAmazon Application Recovery Controller (ARC)Amazon AuroraAWS BackupAmazon BedrockAWS Billing View ServiceAWS CloudHSMAWS CodeBuildAWS CodeConnectionsAmazon DataZoneAmazon EC2EC2 Image BuilderElastic Load BalancingAWS End User Messaging SMSAmazon FSx for OpenZFSAWS GlueAWS License ManagerAWS MarketplaceAWS Migration Hub Refactor SpacesAWS Network FirewallAWS OutpostsAmazon S3 on OutpostsAWS Private Certificate AuthorityAWS Resource ExplorerAWS Resource GroupsAmazon Route 53Amazon Simple Storage ServiceAmazon SageMaker AIAWS Service Catalog AppRegistryAWS Systems Manager Incident ManagerAWS Systems Manager Parameter StoreAmazon VPCAmazon VPC LatticeAWS Cloud WAN
+AWS App MeshAWS AppSync GraphQL APIAmazon API GatewayAmazon Application Recovery Controller (ARC)Amazon AuroraAWS BackupAmazon BedrockAWS Billing View ServiceAWS CloudHSMAWS CodeBuildAWS CodeConnectionsAmazon DataZoneAmazon EC2EC2 Image BuilderElastic Load BalancingAWS End User Messaging SMSAmazon FSx for OpenZFSAWS GlueAWS License ManagerAWS MarketplaceAWS Migration Hub Refactor SpacesAWS Network FirewallAWS OutpostsAmazon S3 on OutpostsAWS Private Certificate AuthorityAWS Resource ExplorerAWS Resource GroupsAmazon Route 53Amazon Simple Storage ServiceAmazon SageMaker AIAWS Service Catalog AppRegistryAWS Systems Manager Incident ManagerAWS Systems ManagerAmazon VPCAmazon VPC LatticeAWS Cloud WAN
@@ -316 +316 @@ Response plans `ssm-incidents:ResponsePlan` |  Create and manage response plans
-## AWS Systems Manager Parameter Store
+## AWS Systems Manager
@@ -318 +318 @@ Response plans `ssm-incidents:ResponsePlan` |  Create and manage response plans
-You can share the following AWS Systems Manager Parameter Store resources by using AWS RAM.
+You can share the following AWS Systems Manager resources by using AWS RAM.
@@ -321,0 +322 @@ Resource type and code | Use case | Can share with IAM users and roles | Can sha
+Deny-access policy `ssm:Document` |  Create an approval policy for just-in-time node access with Systems Manager. A deny-access policy explicitly prevents the auto-approval of access requests to the nodes you specify. Share the deny-access policy with other AWS accounts or your organization. This ensures your deny-access policy for just-in-time node access applies to all accounts in your organization. For more information, see [Just-in-time node access using Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-just-in-time-node-access.html) in the _AWS Systems Manager User Guide_. |  Yes  |  Yes  Can share with **any** AWS account. |  Yes  |  No