AWS incident-manager medium security documentation change
Summary
Updated IAM permission requirements for manual incident creation to use forward access sessions
Security assessment
Changes to IAM permission models using forward access sessions (FAS) help prevent privilege escalation by limiting temporary permissions, addressing authorization security controls.
Diff
diff --git a/incident-manager/latest/userguide/doc-history.md b/incident-manager/latest/userguide/doc-history.md index c594a3e41..0d45d249c 100644 --- a//incident-manager/latest/userguide/doc-history.md +++ b//incident-manager/latest/userguide/doc-history.md @@ -8,0 +9 @@ Change| Description| Date +Change to permission requirements for creating incidents manually| The IAM permissions required for a user to create an incident manually have changed and no longer use a service-linked role. Instead, Incident Manager now uses [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) (FAS) to call `ssm-contacts:StartEngagement` as part of `ssm-incidents:StartIncident`. For more information, see [Required IAM permissions for manually starting incidents](https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html#incident-tracking-manual-permissions).| June 10, 2025