AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2025-05-22 · Security-related medium

File: systems-manager/latest/userguide/session-manager-restrict-command-access.md

Summary

Added multiple IAM policy statements allowing 'ssmmessages:OpenDataChannel' action with user-scoped session resources

Security assessment

Repeated additions of 'ssmmessages:OpenDataChannel' permissions in command restriction contexts suggest this action is required for secure command execution. The changes enforce least-privilege access for session data channels, addressing potential authorization flaws in command execution workflows.

Diff

diff --git a/systems-manager/latest/userguide/session-manager-restrict-command-access.md b/systems-manager/latest/userguide/session-manager-restrict-command-access.md
index d309e04e3..6c3d49647 100644
--- a//systems-manager/latest/userguide/session-manager-restrict-command-access.md
+++ b//systems-manager/latest/userguide/session-manager-restrict-command-access.md
@@ -317,0 +318,5 @@ You can create IAM policies that allow users to access only the `Session` docume
+    },
+    {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
@@ -335,0 +341,5 @@ You can create IAM policies that allow users to access only the `Session` docume
+    },
+    {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]
@@ -354,0 +365,5 @@ You can create IAM policies that allow users to access only the `Session` docume
+    },
+    {
+             "Effect": "Allow",
+             "Action": ["ssmmessages:OpenDataChannel"],
+             "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]