AWS Security ChangesHomeSearch

AWS systems-manager-automation-runbooks high security documentation change

Service: systems-manager-automation-runbooks · 2025-06-19 · Security-related high

File: systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md

Summary

Updated IAM policy with resource ARN restrictions and added ArnLike condition

Security assessment

Narrowed IAM resource wildcards to specific ARN patterns and added conditions to prevent privilege escalation via unauthorized automation definitions.

Diff

diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md b/systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md
index e3e47504c..978708a45 100644
--- a//systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md
+++ b//systems-manager-automation-runbooks/latest/userguide/automation-aws-postgresqlworkloadreview.md
@@ -169,0 +170,3 @@ If you set the `UpdateRdsRouteTable` parameter to `yes`, the runbook updates the
+                    },
+                    "ArnLike": {
+                        "iam:AssociatedResourceARN": "arn:aws:ssm:*:*:automation-definition/AWS-*"
@@ -173 +176 @@ If you set the `UpdateRdsRouteTable` parameter to `yes`, the runbook updates the
-                "Resource": "*",
+                "Resource": "arn:aws:iam::account id:role/SSM-*",