AWS systems-manager documentation change
Summary
Added documentation for 9 new managed policies related to just-in-time node access (JITNA) including execution roles, token management, policy propagation, and notifications. Updated policy list and changelog with new JITNA-related entries.
Security assessment
The changes document new security-focused managed policies enabling just-in-time access controls, temporary token generation, and approval workflows. While these enhance security posture by reducing standing privileges, there is no evidence of addressing a specific existing vulnerability or incident.
Diff
diff --git a/systems-manager/latest/userguide/security-iam-awsmanpol.md b/systems-manager/latest/userguide/security-iam-awsmanpol.md index b63766637..a33fb59d6 100644 --- a//systems-manager/latest/userguide/security-iam-awsmanpol.md +++ b//systems-manager/latest/userguide/security-iam-awsmanpol.md @@ -5 +5 @@ -AmazonSSMServiceRolePolicyAmazonSSMReadOnlyAccessAWSSystemsManagerOpsDataSyncServiceRolePolicyAmazonSSMManagedEC2InstanceDefaultPolicySSMQuickSetupRolePolicyAWSQuickSetupDeploymentRolePolicyAWSQuickSetupPatchPolicyDeploymentRolePolicyAWSQuickSetupPatchPolicyBaselineAccessAWSSystemsManagerEnableExplorerExecutionPolicyAWSSystemsManagerEnableConfigRecordingExecutionPolicyAWSQuickSetupDevOpsGuruPermissionsBoundaryAWSQuickSetupDistributorPermissionsBoundaryAWSQuickSetupSSMHostMgmtPermissionsBoundaryAWSQuickSetupPatchPolicyPermissionsBoundaryAWSQuickSetupSchedulerPermissionsBoundaryAWSQuickSetupCFGCPacksPermissionsBoundaryAWS-SSM-DiagnosisAutomation-AdministrationRolePolicyAWS-SSM-DiagnosisAutomation-ExecutionRolePolicyAWS-SSM-RemediationAutomation-AdministrationRolePolicyAWS-SSM-RemediationAutomation-ExecutionRolePolicyAWSQuickSetupSSMManageResourcesExecutionPolicyAWSQuickSetupSSMLifecycleManagementExecutionPolicyAWSQuickSetupSSMDeploymentRolePolicyAWSQuickSetupSSMDeploymentS3BucketRolePolicyAWSQuickSetupEnableDHMCExecutionPolicyAWSQuickSetupEnableAREXExecutionPolicyAWSQuickSetupManagedInstanceProfileExecutionPolicyAWSQuickSetupFullAccessAWSQuickSetupReadOnlyAccessAWS-SSM-Automation-DiagnosisBucketPolicyAWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicyAWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicyPolicy updatesAdditional managed policies for Systems Manager +AmazonSSMServiceRolePolicyAmazonSSMReadOnlyAccessAWSSystemsManagerOpsDataSyncServiceRolePolicyAmazonSSMManagedEC2InstanceDefaultPolicySSMQuickSetupRolePolicyAWSQuickSetupDeploymentRolePolicyAWSQuickSetupPatchPolicyDeploymentRolePolicyAWSQuickSetupPatchPolicyBaselineAccessAWSSystemsManagerEnableExplorerExecutionPolicyAWSSystemsManagerEnableConfigRecordingExecutionPolicyAWSQuickSetupDevOpsGuruPermissionsBoundaryAWSQuickSetupDistributorPermissionsBoundaryAWSQuickSetupSSMHostMgmtPermissionsBoundaryAWSQuickSetupPatchPolicyPermissionsBoundaryAWSQuickSetupSchedulerPermissionsBoundaryAWSQuickSetupCFGCPacksPermissionsBoundaryAWS-SSM-DiagnosisAutomation-AdministrationRolePolicyAWS-SSM-DiagnosisAutomation-ExecutionRolePolicyAWS-SSM-RemediationAutomation-AdministrationRolePolicyAWS-SSM-RemediationAutomation-ExecutionRolePolicyAWSQuickSetupSSMManageResourcesExecutionPolicyAWSQuickSetupSSMLifecycleManagementExecutionPolicyAWSQuickSetupSSMDeploymentRolePolicyAWSQuickSetupSSMDeploymentS3BucketRolePolicyAWSQuickSetupEnableDHMCExecutionPolicyAWSQuickSetupEnableAREXExecutionPolicyAWSQuickSetupManagedInstanceProfileExecutionPolicyAWSQuickSetupFullAccessAWSQuickSetupReadOnlyAccessAWSQuickSetupManageJITNAResourcesExecutionPolicyAWSQuickSetupJITNADeploymentRolePolicyAWSSystemsManagerJustInTimeAccessServicePolicyAWSSystemsManagerJustInTimeAccessTokenPolicyAWSSystemsManagerJustInTimeAccessTokenSessionPolicyAWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicyAWSSystemsManagerNotificationsServicePolicyAWS-SSM-Automation-DiagnosisBucketPolicyAWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicyAWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicyPolicy updatesAdditional managed policies for Systems Manager @@ -922,0 +923,181 @@ To view more details about the policy, including the latest version of the JSON +## AWS managed policy: AWSQuickSetupManageJITNAResourcesExecutionPolicy + +The managed policy `AWSQuickSetupManageJITNAResourcesExecutionPolicy` enables Quick Setup, a tool in Systems Manager, to set up just-in-time node access. + +You can attach `AWSQuickSetupManageJITNAResourcesExecutionPolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. + +This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access. + +**Permissions details** + +This policy includes the following permissions. + + * `ssm` – Allows principals to get and update the service setting that specifies the identity provider for just-in-time node access. + + * `iam` – Allows principals to create, tag, and get roles, attach role policies for just-in-time node access managed policies, and create service-linked roles for just-in-time node access and notifications. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupManageJITNAResourcesExecutionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupManageJITNAResourcesExecutionPolicy.html) in the _AWS Managed Policy Reference Guide_. + +## AWS managed policy: AWSQuickSetupJITNADeploymentRolePolicy + +The managed policy `AWSQuickSetupJITNADeploymentRolePolicy` allows Quick Setup to deploy the configuration type required to set up just-in-time node access. + +You can attach `AWSQuickSetupJITNADeploymentRolePolicy` to your IAM entities. Systems Manager also attaches this policy to a service role that allows Systems Manager to perform actions on your behalf. + +This policy grants administrative permissions that allow Systems Manager to create resources associated with just-in-time node access. + +**Permissions details** + +This policy includes the following permissions. + + * `cloudformation` – Allows principals to create, update, delete, and read AWS CloudFormation stacks. + + * `ssm` – Allows principals to create, delete, update, and read State Manager associations that are called by AWS CloudFormation. + + * `iam` – Allows principals create, delete, read and tag IAM roles that are called by AWS CloudFormation. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupJITNADeploymentRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupJITNADeploymentRolePolicy.html) in the _AWS Managed Policy Reference Guide_. + +## AWS managed policy: AWSSystemsManagerJustInTimeAccessServicePolicy + +The managed policy `AWSSystemsManagerJustInTimeAccessServicePolicy` provides permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature. + +You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to enable just-in-time node access](./using-service-linked-roles-service-action-8.html). + +This policy grants administrative permissions that allows access to resources associated with just-in-time node access. + +**Permissions details** + +This policy includes the following permissions. + + * `ssm` – Allows principals to create, describe, and update OpsItems, describe sessions and list tags for managed nodes. + + * `ssm-guiconnect` – Allows principals to list connections. + + * `identitystore` – Allows to get user and group IDs, describe users, and list group membership. + + * `sso-directory` – Allows principals to describe users and determine if a user is a member of a group. + + * `sso` – Allows principals to describe registered Regions and list instances and directory associations. + + * `cloudwatch` – Allows principals to put metric data for the `AWS/SSM/JustInTimeAccess` namespace. + + * `ec2` – Allows principals to describe tags. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessServicePolicy.html) in the _AWS Managed Policy Reference Guide_. + +## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenPolicy + +The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` allows Systems Manager to generate access tokens used for just-in-time node access. + +You can attach `AWSSystemsManagerJustInTimeAccessTokenPolicy` to your IAM entities. + +This policy grants administrative permissions that allow Systems Manager to start sessions and generate access tokens for just-in-time node access. + +**Permissions details** + +This policy includes the following permissions. + + * `ssm` – Allows principals to send commands, list command invocations, and start, resume, and end Session Manager sessions. + + * `ssm-guiconnect` – Allows principals to start, describe, and end Systems Manager GUI Connect RDP connections. + + * `kms` – Allows principals to create grants and generate key data. + + * `sso` – Allows principals to list directory associations. + + * `identitystore` – Allows principals to describe a user. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenPolicy.html) in the _AWS Managed Policy Reference Guide_. + +## AWS managed policy: AWSSystemsManagerJustInTimeAccessTokenSessionPolicy + +The managed policy `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` allows Systems Manager to apply scoped down permissions to a just-in-time node access token. + +You can attach `AWSSystemsManagerJustInTimeAccessTokenSessionPolicy` to your IAM entities. + +This policy grants administrative permissions that allow Systems Manager to scope down permissions for just-in-time node access tokens. + +**Permissions details** + +This policy includes the following permissions. + + * `ssm` – Allows principals to start Session Manager sessions using the `SSM-SessionManagerRunShell` document. Also when called first via `ssm-guiconnect`, start sessions using the `AWS-StartPortForwardingSession` document, list command invocations, and send commands using the `AWSSSO-CreateSSOUser` document. + + * `ssm-guiconnect` – Allows principals to cancel, get, and start connections on all resources. + + * `kms` – Allows principals to create grants and generate data keys for keys tagged with `SystemsManagerJustInTimeNodeAccessManaged` when called via `ssm-guiconnect` through an AWS service. + + * `sso` – Allows principals to list directory associations when called via `ssm-guiconnect`. + + * `identitystore` – Allows principals to describe a user when called via `ssm-guiconnect`. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeAccessTokenSessionPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeAccessTokenSessionPolicy.html) in the _AWS Managed Policy Reference Guide_. + +## AWS managed policy: AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy + +The managed policy `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` allows Systems Manager to share deny-access policies from the delegated administrator account to member accounts, and replicate the policies across multiple AWS Regions. + +You can attach `AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy` to your IAM entities. + +This policy provides the administrative permissions necessary for Systems Manager to share and create deny-access policies. This ensures that deny-access policies are applied to all accounts in an AWS Organizations organization and Regions configured for just-in-time node access. + +**Permissions details** + +This policy includes the following permissions. + + * `ssm` – Allows principals to manage SSM documents and resource policies. + + * `ssm-quicksetup` – Allows principals to read Quick Setup configuration managers. + + * `organizations` – Allows principals to list details about an AWS Organizations organization and delegated administrators. + + * `ram` – Allows principals to create, tag, and describe resource shares. + + * `iam` – Allows principals to describe a service role. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy.html) in the _AWS Managed Policy Reference Guide_. + +## AWS managed policy: AWSSystemsManagerNotificationsServicePolicy + +The managed policy `AWSSystemsManagerNotificationsServicePolicy` allows Systems Manager to send email notifications for just-in-time node access requests to access request approvers. + +You can't attach `AWSSystemsManagerJustInTimeAccessServicePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Systems Manager to perform actions on your behalf. For more information, see [Using roles to send just-in-time node access request notifications](./using-service-linked-roles-service-action-9.html). + +This policy grants administrative permissions that allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers. + +**Permissions details** + +This policy includes the following permissions. + + * `identitystore` – Allows principals to list and describe users and group membership. + + * `sso` – Allows principals to list instances, directories, and describe registered Regions. + + * `sso-directory` – Allows principals to describe users and list members in a group. + + * `iam` – Allows principals to get information about roles. + + + + +To view more details about the policy, including the latest version of the JSON policy document, see [AWSSystemsManagerNotificationsServicePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSSystemsManagerNotificationsServicePolicy.html) in the _AWS Managed Policy Reference Guide_. + @@ -983,0 +1165,9 @@ Change | Description | Date +AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag a resource shared by for just-in-time node access. | April 30th, 2025 +AWSQuickSetupManageJITNAResourcesExecutionPolicy – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag IAM roles created for just-in-time node access. | April 30th, 2025 +AWSSystemsManagerJustInTimeAccessTokenSessionPolicy – New policy | Systems Manager added a new policy to allow Systems Manager to apply scoped down permissions to a just-in-time node access token. | April 30th, 2025 +AWSSystemsManagerNotificationsServicePolicy – New policy | Systems Manager added a new policy to allow Systems Manager to send email notifications for just-in-time node access requests to access request approvers. | April 30th, 2025 +AWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicy – New policy | Systems Manager added a new policy to allow Systems Manager to replicate approval policies to different Regions. | April 30th, 2025 +AWSSystemsManagerJustInTimeAccessTokenPolicy – New policy | Systems Manager added a new policy to allow Systems Manager to generate access tokens used for just-in-time node access. | April 30th, 2025 +AWSSystemsManagerJustInTimeAccessServicePolicy – New policy | Systems Manager added a new policy to provide permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature. | April 30th, 2025 +AWSQuickSetupManageJITNAResourcesExecutionPolicy – New policy | Systems Manager added a new policy to allow Quick Setup, a tool in Systems Manager, to create the IAM roles necessary for just-in-time node access. | April 30th, 2025 +AWSQuickSetupJITNADeploymentRolePolicy – New policy | Systems Manager added a new policy that provides permissions that allow Quick Setup to deploy the configuration type required to set up just-in-time node access. | April 30th, 2025