AWS systems-manager medium security documentation change
Summary
Added 'ssmmessages:OpenDataChannel' permissions to multiple quickstart policies
Security assessment
Corrects IAM policy examples by adding essential security permission for session data channels, preventing potential session connectivity issues
Diff
diff --git a/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md b/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md index 3a8f1eb70..93d815e6b 100644 --- a//systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md +++ b//systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md @@ -53,0 +54,5 @@ Use this sample policy to give users the ability to start and resume sessions fr + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -103,0 +109,5 @@ Use this sample policy to give users the ability to start and resume sessions fr + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -144,0 +155,5 @@ Use this sample policy to give users the ability to start and resume sessions fr + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -218,0 +234,5 @@ Use this sample policy to give administrators the ability to perform session-rel + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -238,0 +259,5 @@ Use this sample policy to give administrators the ability to perform session-rel + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -286,0 +312,5 @@ Use this sample policy to give administrators the ability to perform session-rel + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -333,0 +364,5 @@ Use this sample policy to give administrators the ability to perform session-rel + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]