AWS Security ChangesHomeSearch

AWS systems-manager high security documentation change

Service: systems-manager · 2025-05-10 · Security-related high

File: systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md

Summary

Corrected tag validation syntax and added policy creation constraints

Security assessment

Fixes deny policy conditions to accurately enforce tag-based restrictions and clarifies policy deployment limits. Prevents potential security misconfigurations in access control.

Diff

diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md
index 429f2b14c..b6dcda3bf 100644
--- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md
+++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md
@@ -18 +18 @@ The following is an example deny-access policy.
-        resource.hasTag("Environment:Production")
+        resource.hasTag("Environment") && resource.getTag("Environment") == "Production"
@@ -27 +27 @@ The following is an example deny-access policy.
-        principal has division && principal.division != "Finance" && resource.hasTag("DataClassification:Financial")
+        principal has division && principal.division != "Finance" && resource.hasTag("DataClassification") && resource.getTag("DataClassification") == "Financial"
@@ -38 +38 @@ The following is an example deny-access policy.
-        principal has employeeNumber && principal.employeeNumber like "TEMP-*" && resource.hasTag("Criticality:High")
+        principal has employeeNumber && principal.employeeNumber like "TEMP-*" && resource.hasTag("Criticality") && resource.getTag("Criticality") == "High"
@@ -41 +41,5 @@ The following is an example deny-access policy.
-The following procedure describes how to create a deny-access policy for just-in-time node acces. You can have one deny-access policy for your AWS Organizations organization. For more information about how to construct policy statements, see [Statement structure and built-in operators for auto-approval and deny-access policies](./auto-approval-deny-access-policy-statement-structure.html).
+The following procedure describes how to create a deny-access policy for just-in-time node access. For more information about how to construct policy statements, see [Statement structure and built-in operators for auto-approval and deny-access policies](./auto-approval-deny-access-policy-statement-structure.html).
+
+###### Note
+
+You can create deny-access policies while logged into the AWS Management account or the delegated administrator account. Your AWS Organizations organization can have only one deny-access policy.