AWS systems-manager high security documentation change
Summary
Updated IAM policy resource ARNs from wildcard (*) to specific role ARNs for PassRole permissions
Security assessment
Restricting IAM permissions to specific resources follows the principle of least privilege, reducing potential over-permission risks. This change explicitly limits which roles can be passed, addressing a security best practice.
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-inventory-query.md b/systems-manager/latest/userguide/systems-manager-inventory-query.md index fcc735804..e70b9959d 100644 --- a//systems-manager/latest/userguide/systems-manager-inventory-query.md +++ b//systems-manager/latest/userguide/systems-manager-inventory-query.md @@ -66 +66,4 @@ The following `PassRole` and additional required permissions block - "Resource": "*", + "Resource": [ + "arn:aws:iam::123456789012:role/SSMInventoryGlueRole", + "arn:aws:iam::123456789012:role/SSMInventoryServiceRole" + ],