AWS systems-manager-automation-runbooks high security documentation change
Summary
Updated IAM policy with resource ARN restrictions and added ArnLike condition
Security assessment
Narrowed IAM resource wildcards to specific ARN patterns and added conditions to prevent privilege escalation via unauthorized automation definitions.
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md b/systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md index e3e47504c..978708a45 100644 --- a//systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md +++ b//systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md @@ -169,0 +170,3 @@ If you set the `UpdateRdsRouteTable` parameter to `yes`, the runbook updates the + }, + "ArnLike": { + "iam:AssociatedResourceARN": "arn:aws:ssm:*:*:automation-definition/AWS-*" @@ -173 +176 @@ If you set the `UpdateRdsRouteTable` parameter to `yes`, the runbook updates the - "Resource": "*", + "Resource": "arn:aws:iam::account id:role/SSM-*",