AWS systems-manager high security documentation change
Summary
Corrected tag validation syntax and added policy creation constraints
Security assessment
Fixes deny policy conditions to accurately enforce tag-based restrictions and clarifies policy deployment limits. Prevents potential security misconfigurations in access control.
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md index 429f2b14c..b6dcda3bf 100644 --- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md +++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md @@ -18 +18 @@ The following is an example deny-access policy. - resource.hasTag("Environment:Production") + resource.hasTag("Environment") && resource.getTag("Environment") == "Production" @@ -27 +27 @@ The following is an example deny-access policy. - principal has division && principal.division != "Finance" && resource.hasTag("DataClassification:Financial") + principal has division && principal.division != "Finance" && resource.hasTag("DataClassification") && resource.getTag("DataClassification") == "Financial" @@ -38 +38 @@ The following is an example deny-access policy. - principal has employeeNumber && principal.employeeNumber like "TEMP-*" && resource.hasTag("Criticality:High") + principal has employeeNumber && principal.employeeNumber like "TEMP-*" && resource.hasTag("Criticality") && resource.getTag("Criticality") == "High" @@ -41 +41,5 @@ The following is an example deny-access policy. -The following procedure describes how to create a deny-access policy for just-in-time node acces. You can have one deny-access policy for your AWS Organizations organization. For more information about how to construct policy statements, see [Statement structure and built-in operators for auto-approval and deny-access policies](./auto-approval-deny-access-policy-statement-structure.html). +The following procedure describes how to create a deny-access policy for just-in-time node access. For more information about how to construct policy statements, see [Statement structure and built-in operators for auto-approval and deny-access policies](./auto-approval-deny-access-policy-statement-structure.html). + +###### Note + +You can create deny-access policies while logged into the AWS Management account or the delegated administrator account. Your AWS Organizations organization can have only one deny-access policy.