AWS Security ChangesHomeSearch

AWS eks medium security documentation change

Service: eks · 2025-06-28 · Security-related medium

File: eks/latest/userguide/security-iam-awsmanpol.md

Summary

Added 'ssmmessages:OpenDataChannel' permission to AWS managed policy AmazonEKSLocalOutpostServiceRolePolicy

Security assessment

The addition of 'ssmmessages' permission enables secure communication channels via AWS Systems Manager Session Manager, which is critical for encrypted instance management. This addresses potential security gaps in control plane instance management by ensuring proper secure shell access mechanisms.

Diff

diff --git a/eks/latest/userguide/security-iam-awsmanpol.md b/eks/latest/userguide/security-iam-awsmanpol.md
index 808d051dc..d41a2c3b8 100644
--- a//eks/latest/userguide/security-iam-awsmanpol.md
+++ b//eks/latest/userguide/security-iam-awsmanpol.md
@@ -438 +438 @@ The `AmazonEKSLocalOutpostServiceRolePolicy` includes the following permissions:
-  * **`ssm` ** – Allows Amazon EC2 Systems Manager connection to the control plane instances, which is used by Amazon EKS to communicate and manage the local cluster in your account.
+  * **`ssm`, `ssmmessages` ** – Allows Amazon EC2 Systems Manager connection to the control plane instances, which is used by Amazon EKS to communicate and manage the local cluster in your account.
@@ -461,0 +462 @@ Change | Description | Date
+Added permission to AWS managed policy: AmazonEKSLocalOutpostServiceRolePolicy |  Added `ssmmessages:OpenDataChannel` permission to `AmazonEKSLocalOutpostServiceRolePolicy`. |  June 26, 2025