AWS Security ChangesHomeSearch

AWS systems-manager high security documentation change

Service: systems-manager · 2025-06-19 · Security-related high

File: systems-manager/latest/userguide/systems-manager-just-in-time-node-access-session-preferences.md

Summary

Added KMS key tagging requirement for Session Manager encryption

Security assessment

Mandatory KMS key tagging enhances encryption key management, ensuring keys used for session encryption are properly controlled and monitored. This addresses potential key misuse risks.

Diff

diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-session-preferences.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-session-preferences.md
index 3c9940a46..a66892c41 100644
--- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-session-preferences.md
+++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-session-preferences.md
@@ -12,0 +13,6 @@ Systems Manager doesn't automatically terminate just-in-time node access session
+###### Important
+
+You must tag the AWS KMS keys used for Session Manager encryption and RDP recording in just-in-time node access with the tag key `SystemsManagerJustInTimeNodeAccessManaged` and tag value `true`.
+
+For information about tagging KMS keys, see [Tags in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) in the _AWS Key Management Service Developer Guide_.
+