AWS Security ChangesHomeSearch

AWS ssm-sap documentation change

Service: ssm-sap · 2025-05-31 · Documentation medium

File: ssm-sap/latest/userguide/iam-policies.md

Summary

Updated AWSSSMForSAPServiceLinkedRolePolicy to remove TagKeys/ArnLike conditions and add EC2 Describe permissions for workload discovery functionality.

Security assessment

The change documents updates to IAM policies (security controls) but does not indicate remediation of a security issue. The added permissions support new functionality rather than patching a vulnerability.

Diff

diff --git a/ssm-sap/latest/userguide/iam-policies.md b/ssm-sap/latest/userguide/iam-policies.md
index 9c9942aa9..65524bcd2 100644
--- a//ssm-sap/latest/userguide/iam-policies.md
+++ b//ssm-sap/latest/userguide/iam-policies.md
@@ -114,0 +115,10 @@ Change | Description | Date
+[AWSSSMForSAPServiceLinkedRolePolicy](https://docs.aws.amazon.com/ssm-sap/latest/userguide/slr.html#slr-permissions) – Updated policy |  Removed `TagKeys` and `ArnLike` condition for `awsApplication` tag. | May 23, 2025  
+[AWSSSMForSAPServiceLinkedRolePolicy](https://docs.aws.amazon.com/ssm-sap/latest/userguide/slr.html#slr-permissions) – Updated policy |  The following permissions have been added to `DescribeInstanceActions` within this policy:
+
+  * `ec2:DescribeRouteTables`
+  * `ec2:DescribeInstanceTypes`
+  * `ec2:DescribeVolumes`
+  * `ec2:DescribeInstanceAttribute`
+  * `ec2:DescribeSnapshots`
+
+These permissions are required to support new functionality that allows users to run discovery on workloads. | December 20, 2024