AWS systems-manager medium security documentation change
Summary
Added 'ssmmessages:OpenDataChannel' permissions to multiple IAM policy examples
Security assessment
Ensures session policies include required data channel permissions for secure communication. Previous examples were missing this critical security-related action
Diff
diff --git a/systems-manager/latest/userguide/getting-started-restrict-access-examples.md b/systems-manager/latest/userguide/getting-started-restrict-access-examples.md index 982f21af9..5ad5f07e8 100644 --- a//systems-manager/latest/userguide/getting-started-restrict-access-examples.md +++ b//systems-manager/latest/userguide/getting-started-restrict-access-examples.md @@ -76,0 +77,5 @@ For federated users, see Example 4: Allow a user to end only sessions they start + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -86,0 +92,5 @@ For federated users, see Example 4: Allow a user to end only sessions they start + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -113,0 +124,5 @@ You can restrict access to managed nodes based on specific tags. In the followin + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -159,0 +175,5 @@ You can create IAM policies that allow a user to start sessions to managed nodes + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] + }, @@ -367,0 +388,5 @@ The following IAM policy allows a user to fully interact with all managed nodes + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]