AWS ssm-sap documentation change
Summary
Updated AWSSSMForSAPServiceLinkedRolePolicy to remove TagKeys/ArnLike conditions and add EC2 Describe permissions for workload discovery functionality.
Security assessment
The change documents updates to IAM policies (security controls) but does not indicate remediation of a security issue. The added permissions support new functionality rather than patching a vulnerability.
Diff
diff --git a/ssm-sap/latest/userguide/iam-policies.md b/ssm-sap/latest/userguide/iam-policies.md index 9c9942aa9..65524bcd2 100644 --- a//ssm-sap/latest/userguide/iam-policies.md +++ b//ssm-sap/latest/userguide/iam-policies.md @@ -114,0 +115,10 @@ Change | Description | Date +[AWSSSMForSAPServiceLinkedRolePolicy](https://docs.aws.amazon.com/ssm-sap/latest/userguide/slr.html#slr-permissions) – Updated policy | Removed `TagKeys` and `ArnLike` condition for `awsApplication` tag. | May 23, 2025 +[AWSSSMForSAPServiceLinkedRolePolicy](https://docs.aws.amazon.com/ssm-sap/latest/userguide/slr.html#slr-permissions) – Updated policy | The following permissions have been added to `DescribeInstanceActions` within this policy: + + * `ec2:DescribeRouteTables` + * `ec2:DescribeInstanceTypes` + * `ec2:DescribeVolumes` + * `ec2:DescribeInstanceAttribute` + * `ec2:DescribeSnapshots` + +These permissions are required to support new functionality that allows users to run discovery on workloads. | December 20, 2024