AWS Security ChangesHomeSearch

AWS incident-manager medium security documentation change

Service: incident-manager · 2025-06-13 · Security-related medium

File: incident-manager/latest/userguide/doc-history.md

Summary

Updated IAM permission requirements for manual incident creation to use forward access sessions

Security assessment

Changes to IAM permission models using forward access sessions (FAS) help prevent privilege escalation by limiting temporary permissions, addressing authorization security controls.

Diff

diff --git a/incident-manager/latest/userguide/doc-history.md b/incident-manager/latest/userguide/doc-history.md
index c594a3e41..0d45d249c 100644
--- a//incident-manager/latest/userguide/doc-history.md
+++ b//incident-manager/latest/userguide/doc-history.md
@@ -8,0 +9 @@ Change| Description| Date
+Change to permission requirements for creating incidents manually| The IAM permissions required for a user to create an incident manually have changed and no longer use a service-linked role. Instead, Incident Manager now uses [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) (FAS) to call `ssm-contacts:StartEngagement` as part of `ssm-incidents:StartIncident`. For more information, see [Required IAM permissions for manually starting incidents](https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html#incident-tracking-manual-permissions).| June 10, 2025