AWS systems-manager medium security documentation change
Summary
Added IAM policy statements allowing 'ssmmessages:OpenDataChannel' action with session resource ARN scoped to user-specific sessions
Security assessment
The addition of explicit permissions for 'ssmmessages:OpenDataChannel' ensures proper authorization for SSH session data channels. This addresses potential security gaps where missing permissions could prevent secure session establishment or lead to misconfigured access controls.
Diff
diff --git a/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md b/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md index 35bc1b95e..2b6102a36 100644 --- a//systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md +++ b//systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md @@ -121,0 +122,5 @@ For example, add the following element to the Quickstart policy you created in [ + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -145 +149,0 @@ For example, add the following element to the Quickstart policy you created in [ - "Sid": "VisualEditor1", @@ -150,0 +155,5 @@ For example, add the following element to the Quickstart policy you created in [ + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]