AWS systems-manager high security documentation change
Summary
Added mandatory tagging requirement for KMS keys used in RDP recording
Security assessment
Enforcing KMS key tagging ensures proper access control and auditability for encryption keys used in sensitive RDP recordings. This prevents misconfiguration that could lead to unauthorized data access.
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md index 5385114c5..49e37265a 100644 --- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md +++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md @@ -19 +19,7 @@ If you use a KMS key as the default encryption mechanism for the S3 bucket (SSE- -Following is an example of the policy which can be used to allow the `ssm-guiconnect` service access to the KMS key for S3 storage. For information about updating a customer managed key, see [Change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_. +Following is an example of a customer managed key policy which can be used to allow the `ssm-guiconnect` service access to the KMS key for S3 storage. For information about updating a customer managed key, see [Change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_. + +###### Important + +You must tag the AWS KMS keys used for Session Manager encryption and RDP recording in just-in-time node access with the tag key `SystemsManagerJustInTimeNodeAccessManaged` and tag value `true`. + +For information about tagging KMS keys, see [Tags in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) in the _AWS Key Management Service Developer Guide_.