AWS systems-manager medium security documentation change
Summary
Added multiple IAM policy statements allowing 'ssmmessages:OpenDataChannel' action with user-scoped session resources
Security assessment
Repeated additions of 'ssmmessages:OpenDataChannel' permissions in command restriction contexts suggest this action is required for secure command execution. The changes enforce least-privilege access for session data channels, addressing potential authorization flaws in command execution workflows.
Diff
diff --git a/systems-manager/latest/userguide/session-manager-restrict-command-access.md b/systems-manager/latest/userguide/session-manager-restrict-command-access.md index d309e04e3..6c3d49647 100644 --- a//systems-manager/latest/userguide/session-manager-restrict-command-access.md +++ b//systems-manager/latest/userguide/session-manager-restrict-command-access.md @@ -317,0 +318,5 @@ You can create IAM policies that allow users to access only the `Session` docume + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -335,0 +341,5 @@ You can create IAM policies that allow users to access only the `Session` docume + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"] @@ -354,0 +365,5 @@ You can create IAM policies that allow users to access only the `Session` docume + }, + { + "Effect": "Allow", + "Action": ["ssmmessages:OpenDataChannel"], + "Resource": ["arn:aws:ssm:*:*:session/${aws:userid}-*"]