AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-05-01 · Documentation low

File: systems-manager/latest/userguide/security-iam-awsmanpol.md

Summary

Added documentation for 9 new managed policies related to just-in-time node access (JITNA) including execution roles, token management, policy propagation, and notifications. Updated policy list and changelog with new JITNA-related entries.

Security assessment

The changes document new security-focused managed policies enabling just-in-time access controls, temporary token generation, and approval workflows. While these enhance security posture by reducing standing privileges, there is no evidence of addressing a specific existing vulnerability or incident.

Diff

diff --git a/systems-manager/latest/userguide/security-iam-awsmanpol.md b/systems-manager/latest/userguide/security-iam-awsmanpol.md
index b63766637..a33fb59d6 100644
--- a//systems-manager/latest/userguide/security-iam-awsmanpol.md
+++ b//systems-manager/latest/userguide/security-iam-awsmanpol.md
@@ -5 +5 @@
-AmazonSSMServiceRolePolicyAmazonSSMReadOnlyAccessAWSSystemsManagerOpsDataSyncServiceRolePolicyAmazonSSMManagedEC2InstanceDefaultPolicySSMQuickSetupRolePolicyAWSQuickSetupDeploymentRolePolicyAWSQuickSetupPatchPolicyDeploymentRolePolicyAWSQuickSetupPatchPolicyBaselineAccessAWSSystemsManagerEnableExplorerExecutionPolicyAWSSystemsManagerEnableConfigRecordingExecutionPolicyAWSQuickSetupDevOpsGuruPermissionsBoundaryAWSQuickSetupDistributorPermissionsBoundaryAWSQuickSetupSSMHostMgmtPermissionsBoundaryAWSQuickSetupPatchPolicyPermissionsBoundaryAWSQuickSetupSchedulerPermissionsBoundaryAWSQuickSetupCFGCPacksPermissionsBoundaryAWS-SSM-DiagnosisAutomation-AdministrationRolePolicyAWS-SSM-DiagnosisAutomation-ExecutionRolePolicyAWS-SSM-RemediationAutomation-AdministrationRolePolicyAWS-SSM-RemediationAutomation-ExecutionRolePolicyAWSQuickSetupSSMManageResourcesExecutionPolicyAWSQuickSetupSSMLifecycleManagementExecutionPolicyAWSQuickSetupSSMDeploymentRolePolicyAWSQuickSetupSSMDeploymentS3BucketRolePolicyAWSQuickSetupEnableDHMCExecutionPolicyAWSQuickSetupEnableAREXExecutionPolicyAWSQuickSetupManagedInstanceProfileExecutionPolicyAWSQuickSetupFullAccessAWSQuickSetupReadOnlyAccessAWS-SSM-Automation-DiagnosisBucketPolicyAWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicyAWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicyPolicy updatesAdditional managed policies for Systems Manager
+AmazonSSMServiceRolePolicyAmazonSSMReadOnlyAccessAWSSystemsManagerOpsDataSyncServiceRolePolicyAmazonSSMManagedEC2InstanceDefaultPolicySSMQuickSetupRolePolicyAWSQuickSetupDeploymentRolePolicyAWSQuickSetupPatchPolicyDeploymentRolePolicyAWSQuickSetupPatchPolicyBaselineAccessAWSSystemsManagerEnableExplorerExecutionPolicyAWSSystemsManagerEnableConfigRecordingExecutionPolicyAWSQuickSetupDevOpsGuruPermissionsBoundaryAWSQuickSetupDistributorPermissionsBoundaryAWSQuickSetupSSMHostMgmtPermissionsBoundaryAWSQuickSetupPatchPolicyPermissionsBoundaryAWSQuickSetupSchedulerPermissionsBoundaryAWSQuickSetupCFGCPacksPermissionsBoundaryAWS-SSM-DiagnosisAutomation-AdministrationRolePolicyAWS-SSM-DiagnosisAutomation-ExecutionRolePolicyAWS-SSM-RemediationAutomation-AdministrationRolePolicyAWS-SSM-RemediationAutomation-ExecutionRolePolicyAWSQuickSetupSSMManageResourcesExecutionPolicyAWSQuickSetupSSMLifecycleManagementExecutionPolicyAWSQuickSetupSSMDeploymentRolePolicyAWSQuickSetupSSMDeploymentS3BucketRolePolicyAWSQuickSetupEnableDHMCExecutionPolicyAWSQuickSetupEnableAREXExecutionPolicyAWSQuickSetupManagedInstanceProfileExecutionPolicyAWSQuickSetupFullAccessAWSQuickSetupReadOnlyAccessAWSQuickSetupManageJITNAResourcesExecutionPolicyAWSQuickSetupJITNADeploymentRolePolicyAWSSystemsManagerJustInTimeAccessServicePolicyAWSSystemsManagerJustInTimeAccessTokenPolicyAWSSystemsManagerJustInTimeAccessTokenSessionPolicyAWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicyAWSSystemsManagerNotificationsServicePolicyAWS-SSM-Automation-DiagnosisBucketPolicyAWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicyAWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicyPolicy updatesAdditional managed policies for Systems Manager
@@ -922,0 +923,181 @@ To view more details about the policy, including the latest version of the JSON
+## AWS managed policy: AWSQuickSetupManageJITNAResourcesExecutionPolicy
+
+The managed policy `AWSQuickSetupManageJITNAResourcesExecutionPolicy` enables Quick Setup, a tool in Systems Manager, to set up just-in-time node access.
+
+You can attach `AWSQuickSetupManageJITNAResourcesExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 
+
+This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `ssm` – Allows principals to get and update the service setting that specifies the identity provider for just-in-time node access.
+
+  * `iam` – Allows principals to create, tag, and get roles, attach role policies for just-in-time node access managed policies, and create service-linked roles for just-in-time node access and notifications.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupManageJITNAResourcesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupManageJITNAResourcesExecutionPolicy.html) in the _AWS Managed Policy Reference Guide_.
+
+## AWS managed policy: AWSQuickSetupJITNADeploymentRolePolicy
+
+The managed policy `AWSQuickSetupJITNADeploymentRolePolicy` allows Quick Setup to deploy the configuration type required to set up just-in-time node access.
+
+You can attach `AWSQuickSetupJITNADeploymentRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. 
+
+This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `cloudformation` – Allows principals to create, update, delete, and read AWS CloudFormation stacks.
+
+  * `ssm` – Allows principals to create, delete, update, and read State Manager associations that are called by AWS CloudFormation.
+
+  * `iam` – Allows principals create, delete, read and tag IAM roles that are called by AWS CloudFormation.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupJITNADeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupJITNADeploymentRolePolicy.html) in the _AWS Managed Policy Reference Guide_.
+
+## AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy
+
+The managed policy `AWSSystemsManagerJustInTimeAccessServicePolicy` provides permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature.
+
+You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to enable just-in-time node access](./using-service-linked-roles-service-action-8.html).
+
+This policy grants administrative permissions that allows access to resources associated with just-in-time node access.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `ssm` – Allows principals to create, describe, and update OpsItems, describe sessions and list tags for managed nodes.
+
+  * `ssm-guiconnect` – Allows principals to list connections.
+
+  * `identitystore` – Allows to get user and group IDs, describe users, and list group membership.
+
+  * `sso-directory` – Allows principals to describe users and determine if a user is a member of a group.
+
+  * `sso` – Allows principals to describe registered Regions and list instances and directory associations.
+
+  * `cloudwatch` – Allows principals to put metric data for the `AWS/SSM/JustInTimeAccess` namespace.
+
+  * `ec2` – Allows principals to describe tags.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessServicePolicy.html) in the _AWS Managed Policy Reference Guide_.
+
+## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenPolicy
+
+The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` allows Systems Manager to generate access tokens used for just-in-time node access. 
+
+You can attach `AWSSystemsManagerJustInTimeAccessTokenPolicy` to your IAM entities.
+
+This policy grants administrative permissions that allow Systems Manager to start sessions and generate access tokens for just-in-time node access.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `ssm` – Allows principals to send commands, list command invocations, and start, resume, and end Session Manager sessions.
+
+  * `ssm-guiconnect` – Allows principals to start, describe, and end Systems Manager GUI Connect RDP connections.
+
+  * `kms` – Allows principals to create grants and generate key data.
+
+  * `sso` – Allows principals to list directory associations.
+
+  * `identitystore` – Allows principals to describe a user.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenPolicy.html) in the _AWS Managed Policy Reference Guide_.
+
+## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenSessionPolicy
+
+The managed policy `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` allows Systems Manager to apply scoped down permissions to a just-in-time node access token. 
+
+You can attach `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` to your IAM entities.
+
+This policy grants administrative permissions that allow Systems Manager to scope down permissions for just-in-time node access tokens.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `ssm` – Allows principals to start Session Manager sessions using the `SSM-SessionManagerRunShell` document. Also when called first via `ssm-guiconnect`, start sessions using the `AWS-StartPortForwardingSession` document, list command invocations, and send commands using the `AWSSSO-CreateSSOUser` document.
+
+  * `ssm-guiconnect` – Allows principals to cancel, get, and start connections on all resources.
+
+  * `kms` – Allows principals to create grants and generate data keys for keys tagged with `SystemsManagerJustInTimeNodeAccessManaged` when called via `ssm-guiconnect` through an AWS service.
+
+  * `sso` – Allows principals to list directory associations when called via `ssm-guiconnect`.
+
+  * `identitystore` – Allows principals to describe a user when called via `ssm-guiconnect`.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenSessionPolicy.html) in the _AWS Managed Policy Reference Guide_.
+
+## AWS managed policy: AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy
+
+The managed policy `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` allows Systems Manager to share deny-access policies from the delegated administrator account to member accounts, and replicate the policies across multiple AWS Regions.
+
+You can attach `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` to your IAM entities.
+
+This policy provides the administrative permissions necessary for Systems Manager to share and create deny-access policies. This ensures that deny-access policies are applied to all accounts in an AWS Organizations organization and Regions configured for just-in-time node access.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `ssm` – Allows principals to manage SSM documents and resource policies.
+
+  * `ssm-quicksetup` – Allows principals to read Quick Setup configuration managers.
+
+  * `organizations` – Allows principals to list details about an AWS Organizations organization and delegated administrators.
+
+  * `ram` – Allows principals to create, tag, and describe resource shares.
+
+  * `iam` – Allows principals to describe a service role.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy.html) in the _AWS Managed Policy Reference Guide_.
+
+## AWS managed policy: AWSSystemsManagerNotificationsServicePolicy
+
+The managed policy `AWSSystemsManagerNotificationsServicePolicy` allows Systems Manager to send email notifications for just-in-time node access requests to access request approvers.
+
+You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to send just-in-time node access request notifications](./using-service-linked-roles-service-action-9.html).
+
+This policy grants administrative permissions that allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers.
+
+**Permissions details**
+
+This policy includes the following permissions.
+
+  * `identitystore` – Allows principals to list and describe users and group membership.
+
+  * `sso` – Allows principals to list instances, directories, and describe registered Regions.
+
+  * `sso-directory` – Allows principals to describe users and list members in a group.
+
+  * `iam` – Allows principals to get information about roles.
+
+
+
+
+To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerNotificationsServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerNotificationsServicePolicy.html) in the _AWS Managed Policy Reference Guide_.
+
@@ -983,0 +1165,9 @@ Change | Description | Date
+AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy – Update to an policy |  Systems Manager added permissions to allow Systems Manager to tag a resource shared by for just-in-time node access. | April 30th, 2025  
+AWSQuickSetupManageJITNAResourcesExecutionPolicy – Update to an policy |  Systems Manager added permissions to allow Systems Manager to tag IAM roles created for just-in-time node access. | April 30th, 2025  
+AWSSystemsManagerJustInTimeAccessTokenSessionPolicy – New policy |  Systems Manager added a new policy to allow Systems Manager to apply scoped down permissions to a just-in-time node access token. | April 30th, 2025  
+AWSSystemsManagerNotificationsServicePolicy – New policy |  Systems Manager added a new policy to allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers. | April 30th, 2025  
+AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy – New policy |  Systems Manager added a new policy to allow Systems Manager to replicate approval policies to different Regions. | April 30th, 2025  
+AWSSystemsManagerJustInTimeAccessTokenPolicy – New policy |  Systems Manager added a new policy to allow Systems Manager to generate access tokens used for just-in-time node access. | April 30th, 2025  
+AWSSystemsManagerJustInTimeAccessServicePolicy – New policy |  Systems Manager added a new policy to provide permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature. | April 30th, 2025  
+AWSQuickSetupManageJITNAResourcesExecutionPolicy – New policy |  Systems Manager added a new policy to allow Quick Setup, a tool in Systems Manager, to create the IAM roles necessary for just-in-time node access. | April 30th, 2025  
+AWSQuickSetupJITNADeploymentRolePolicy – New policy |  Systems Manager added a new policy that provides permissions that allow Quick Setup to deploy the configuration type required to set up just-in-time node access. | April 30th, 2025