AWS systems-manager documentation change
Summary
Updated documentation to focus on using Amazon Q for command line instead of IDEs, added MCP server setup, AWS CLI requirements, and revised Cedar policy syntax examples.
Security assessment
The changes primarily update the workflow from IDE-based to command-line usage and refine Cedar policy syntax examples. While just-in-time node access is a security feature, there's no evidence of addressing a specific vulnerability. The syntax corrections (e.g., using hasTag()/getTag() instead of hasTag("Environment:Testing")) improve policy accuracy but reflect general documentation improvements rather than patching a security issue.
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-approval-policies-q-ide-cli.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-approval-policies-q-ide-cli.md index 632d713a6..fe974e61b 100644 --- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-approval-policies-q-ide-cli.md +++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-approval-policies-q-ide-cli.md @@ -9 +9 @@ Identify your use caseSet up your development environmentDevelop approval policy -Using Amazon Q Developer in integrated development environments (IDEs) provides guidance and support across various aspects of software development. For just-in-time node access, Amazon Q helps you create approval policies by generating and updating the code for the policies, analyzing policy statements, and more. The following information describes how to create approval policies using an IDE and Amazon Q. +Using Amazon Q Developer for command line provides guidance and support across various aspects of software development. For just-in-time node access, Amazon Q helps you create approval policies by generating and updating the code for the policies, analyzing policy statements, and more. The following information describes how to create approval policies using Amazon Q for command line. @@ -19 +19 @@ In any given scenario, you might prefer one policy or condition, over another. T -To develop approval policies in an IDE, we recommend using the AWS Toolkit for Visual Studio Code. The Toolkit for VS Code is an open-source extension for Visual Studio Code (VS Code) that offers several helpful features that go beyond what is available in the console. Helpful features include schema validation for both YAML and JSON documents, snippets for automation action types, and auto-complete support for various options in both YAML and JSON. Additionally, we recommend installing the Amazon Q Developer extension or plugin for IDEs. +Install Amazon Q for command line where you want to develop your approval policies. For information about installing Amazon Q for the command line, see [Installing Amazon Q for command line](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-installing.html) in the _Amazon Q Developer User Guide_. @@ -21 +21 @@ To develop approval policies in an IDE, we recommend using the AWS Toolkit for V -For information about installing the Toolkit for VS Code, see [Installing the AWS Toolkit for Visual Studio Code](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/setup-toolkit.html). +We also recommend installing the MCP server for AWS documentation. This MCP server connects Amazon Q for command line to the most current documentation resources. For information about using MCP with Amazon Q for the command line, see [Using MCP with Amazon Q Developer](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp.html) in the _Amazon Q Developer User Guide_. @@ -23 +23,3 @@ For information about installing the Toolkit for VS Code, see [Installing the AW -For information about installing Amazon Q for the command line, see [Installing the Amazon Q Developer extension or plugin in your IDE](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/q-in-IDE-setup.html) in the _Amazon Q Developer User Guide_. +For more information about the AWS Documentation MCP server see [AWS Documentation MCP Server](https://awslabs.github.io/mcp/servers/aws-documentation-mcp-server/). + +Install and configure the AWS CLI, if you have not already. For information, see [Installing or updating the latest version of the AWS CLI.](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) @@ -31 +33 @@ If you're unsure how to use a particular policy or need more information about t -The following procedure describes how to create approval policies with VS Code and Amazon Q. +The following procedure describes how to create approval policies with Amazon Q for command line. @@ -37 +39,3 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the -###### To create a approval policies using an IDE +###### To create a approval policies using Amazon Q for command line + + 1. Open your terminal and start a session with Amazon Q. @@ -39 +43 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 1. Open VS Code and create a new Cedar file. + $ q chat @@ -41 +45 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 2. Open the Amazon Q extension and start a chat. + 2. Enter a prompt and describe what kind of policy statement you want to create. For example, using the earlier scenario for an approval policy, you could enter the following prompt: @@ -43 +47,2 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 3. Enter a prompt and describe what kind of policy statement you want to create. For example, using the earlier scenario for an approval policy, you could enter the following prompt: + Create a Cedar policy statement that allows a principal to use the “getTokenForInstanceAccess" action for a resource + that has a tag key “Environment” and tag value of “Testing”. Use the following example statement for reference to verify the syntax. @@ -45 +49,0 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - Create a Cedar policy statement that allows a principal to getTokenForInstanceAccess for a resource that has the tag "Environment:Testing". Use the following example statement for reference to verify the syntax. @@ -55 +59,3 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 4. Entering this example prompt resulted in the following output: + The Cedar policy statement you create must be valid. Validate the Cedar statement using the AWS documentation provided for just-in-time node access policy statement structure and make sure you abide by the schema. + + 3. Entering this example prompt resulted in the following output: @@ -57,3 +63,2 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - I'll create a Cedar policy statement that allows a principal to perform the - getTokenForInstanceAccess action on resources with the tag "Environment: - Testing", using the example you provided as a reference. + Based on the AWS documentation for Cedar policy statements and the examples provided, I'll create a valid Cedar policy + statement that allows a principal to use the "getTokenForInstanceAccess" action for resources with the tag key "Environment" and tag value "Testing". @@ -61 +66 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - Let me create this policy statement for you: + Here's the Cedar policy statement: @@ -63 +67,0 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - cedar @@ -70 +74,2 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - resource.hasTag("Environment:Testing") + resource.hasTag("Environment") && + resource.getTag("Environment") == "Testing" @@ -74,5 +79,6 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - This policy: - • Allows any principal to perform the getTokenForInstanceAccess action - • Only applies to resources that have the tag "Environment:Testing" - • Uses the same syntax structure as your example but focuses specifically on the - tag requirement + This policy statement: + 1. Uses the permit effect to allow access + 2. Applies to any principal (since no specific principal is defined) + 3. Specifically targets the "getTokenForInstanceAccess" action + 4. Applies to resources that have a tag with key "Environment" and value "Testing" + 5. Uses the proper syntax for the condition clause with the hasTag() and getTag() operators @@ -80,3 +86 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - If you want to restrict this to specific principals (like a particular group as - in your example), we could modify it further. Would you like me to adjust the - policy to limit which principals can perform this action? + The statement follows the Cedar policy language structure as documented in the AWS Systems Manager documentation for just-in-time node access policies. @@ -84 +88 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 5. Paste the policy statement into your new Cedar file to validate the syntax. You can also validate the statement using the [Cedar playground](https://www.cedarpolicy.com/en/playground). + 4. Paste the policy statement into a new Cedar file to validate the syntax. You can also validate the statement using the [Cedar playground](https://www.cedarpolicy.com/en/playground). @@ -86 +90 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 6. After validating the statement, save the Cedar file. + 5. After validating the statement, save the Cedar file. @@ -88 +92 @@ Amazon Q Developer uses generative AI. You may need to verify responses. See the - 7. From the terminal in your IDE, run the following AWS CLI command to create an SSM document using your policy content. We recommend testing approval policies with a subset of identities and nodes in an AWS account and AWS Region. + 6. From your terminal, run the following AWS CLI command to create an SSM document using your policy content. We recommend testing approval policies with a subset of identities and nodes in an AWS account and AWS Region.