AWS Security ChangesHomeSearch

AWS systems-manager high security documentation change

Service: systems-manager · 2025-06-25 · Security-related high

File: systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md

Summary

Updated KMS key policy requirements with account/region placeholders and source validation guidance

Security assessment

Introduces explicit security controls for KMS key policies used in session recording storage, requiring account/region validation to prevent unauthorized access. Adds guidance about using organizational controls (aws:SourceOrgID)

Diff

diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md
index 49e37265a..8dd89f62e 100644
--- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md
+++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md
@@ -19,2 +18,0 @@ If you use a KMS key as the default encryption mechanism for the S3 bucket (SSE-
-Following is an example of a customer managed key policy which can be used to allow the `ssm-guiconnect` service access to the KMS key for S3 storage. For information about updating a customer managed key, see [Change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_.
-
@@ -26,0 +25,15 @@ For information about tagging KMS keys, see [Tags in AWS KMS](https://docs.aws.a
+Use the following customer managed key policy to allow the `ssm-guiconnect` service access to the KMS key for S3 storage. For information about updating a customer managed key, see [Change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_.
+
+Replace each `example resource placeholder` with your own information:
+
+  * `account-id` represents the ID of the AWS account that initiates the connection.
+
+  * `region` represents the AWS Region where the S3 bucket is located . (You can use `*` if the bucket will receive recordings from multiple Regions. Example: `s3.*.amazonaws.com`.)
+
+
+
+
+###### Note
+
+You can use `aws:SourceOrgID` in the policy instead of `aws:SourceAccount` if the account belongs to an organization in AWS Organizations.
+    
@@ -40 +53,4 @@ For information about tagging KMS keys, see [Tags in AWS KMS](https://docs.aws.a
-                "kms:ViaService": "s3.us-east-1.amazonaws.com"
+                "aws:SourceAccount": "account-id"
+            },
+            "StringLike": {
+                "kms:ViaService": "s3.region.amazonaws.com"