AWS systems-manager documentation change
Summary
Added tagging permissions for IAM roles and Lambda in managed policies
Security assessment
Documents new permissions for resource tagging which supports security best practices, but doesn't indicate resolution of a specific vulnerability. Tagging improvements support access control but aren't directly security fixes.
Diff
diff --git a/systems-manager/latest/userguide/security-iam-awsmanpol.md b/systems-manager/latest/userguide/security-iam-awsmanpol.md index a33fb59d6..73a1d8114 100644 --- a//systems-manager/latest/userguide/security-iam-awsmanpol.md +++ b//systems-manager/latest/userguide/security-iam-awsmanpol.md @@ -780 +780 @@ This policy includes the following permissions. - * `iam` – Allows principals to pass roles permissions for the Systems Manager service and Lambda service; and to pass role permissions for diagnosis operations. + * `iam` – Allows principals to tag roles and pass roles permissions for the Systems Manager service and Lambda service, and to pass role permissions for diagnosis operations. @@ -782 +782 @@ This policy includes the following permissions. - * `lambda` – Allows principals to manage functions for the Quick Setup lifecycle in the principal account using AWS CloudFormation templates. + * `lambda` – Allows principals to tag and manage functions for the Quick Setup lifecycle in the principal account using AWS CloudFormation templates. @@ -1182,0 +1183 @@ AWS-SSM-RemediationAutomation-ExecutionRolePolicy – New policy | Systems Manag +AWSQuickSetupSSMDeploymentRolePolicy – Update to an policy | Systems Manager added permissions to allow Systems Manager to tag IAM roles and Lambda created for the unified console. | May 7th, 2025