AWS Security ChangesHomeSearch

AWS systems-manager high security documentation change

Service: systems-manager · 2025-05-10 · Security-related high

File: systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md

Summary

Corrected policy syntax for tag-based access control from `resource.hasTag("Purpose:Testing")` to explicit tag key/value checks.

Security assessment

Fixes a policy syntax error that could have led to incorrect access control enforcement, addressing a potential security misconfiguration.

Diff

diff --git a/systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md b/systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md
index e043e6016..0734a1834 100644
--- a//systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md
+++ b//systems-manager/latest/userguide/auto-approval-deny-access-policy-statement-structure.md
@@ -77 +77 @@ The following example shows how to write a policy if a context property uses a `
-        principal has employeeNumber && principal.employeeNumber like "E-1*" && resource.hasTag("Purpose:Testing")
+        principal has employeeNumber && principal.employeeNumber like "E-1*" && resource.hasTag("Purpose") && resource.getTag("Purpose") == "Testing"