AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2025-05-22 · Security-related medium

File: systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md

Summary

Added IAM policy statements allowing 'ssmmessages:OpenDataChannel' action with session resource ARN scoped to user-specific sessions

Security assessment

The addition of explicit permissions for 'ssmmessages:OpenDataChannel' ensures proper authorization for SSH session data channels. This addresses potential security gaps where missing permissions could prevent secure session establishment or lead to misconfigured access controls.

Diff

diff --git a/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md b/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md
index 35bc1b95e..2b6102a36 100644
--- a//systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md
+++ b//systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md
@@ -121,0 +122,5 @@ For example, add the following element to the Quickstart policy you created in [
+        },
+        {
+                 "Effect": "Allow",
+                 "Action": ["ssmmessages:OpenDataChannel"],
+                 "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
@@ -145 +149,0 @@ For example, add the following element to the Quickstart policy you created in [
-                    "Sid": "VisualEditor1",
@@ -150,0 +155,5 @@ For example, add the following element to the Quickstart policy you created in [
+        },
+        {
+                 "Effect": "Allow",
+                 "Action": ["ssmmessages:OpenDataChannel"],
+                 "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]