AWS systems-manager documentation change
Summary
Added documentation about AWS Resource Access Manager (RAM) requirements for sharing deny-access policies
Security assessment
The changes clarify operational requirements for secure policy distribution but do not address a specific vulnerability. This enhances security documentation by explaining resource sharing prerequisites for JIT access controls.
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md index b6dcda3bf..5e684cbc0 100644 --- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md +++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-create-deny-access-policies.md @@ -45 +45,8 @@ The following procedure describes how to create a deny-access policy for just-in -You can create deny-access policies while logged into the AWS Management account or the delegated administrator account. Your AWS Organizations organization can have only one deny-access policy. +Note the following information. + + * You can create deny-access policies while logged into the AWS Management account or the delegated administrator account. Your AWS Organizations organization can have only one deny-access policy. + + * Just-in-time node access uses AWS Resource Access Manager (AWS RAM) to share your deny-access policy with member accounts in your organization. If you would like to share your deny-access policy with the member accounts in your organization, resource sharing must be enabled from the management account of your organization. For more information, see [Enable resource sharing within AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the _AWS RAM User Guide_. + + +