AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2025-05-22 · Security-related medium

File: systems-manager/latest/userguide/getting-started-restrict-access-examples.md

Summary

Added 'ssmmessages:OpenDataChannel' permissions to multiple IAM policy examples

Security assessment

Ensures session policies include required data channel permissions for secure communication. Previous examples were missing this critical security-related action

Diff

diff --git a/systems-manager/latest/userguide/getting-started-restrict-access-examples.md b/systems-manager/latest/userguide/getting-started-restrict-access-examples.md
index 982f21af9..5ad5f07e8 100644
--- a//systems-manager/latest/userguide/getting-started-restrict-access-examples.md
+++ b//systems-manager/latest/userguide/getting-started-restrict-access-examples.md
@@ -76,0 +77,5 @@ For federated users, see Example 4: Allow a user to end only sessions they start
+            },
+            {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
@@ -86,0 +92,5 @@ For federated users, see Example 4: Allow a user to end only sessions they start
+            },
+            {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
@@ -113,0 +124,5 @@ You can restrict access to managed nodes based on specific tags. In the followin
+            },
+            {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
@@ -159,0 +175,5 @@ You can create IAM policies that allow a user to start sessions to managed nodes
+          {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
+           },
@@ -367,0 +388,5 @@ The following IAM policy allows a user to fully interact with all managed nodes
+            },
+            {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]