AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2025-07-01 · Security-related medium

File: systems-manager/latest/userguide/monitoring-sns-notifications.md

Summary

Corrected IAM policy condition from 'sns.amazonaws.com' to 'ssm.amazonaws.com' in SNS notification permissions example

Security assessment

The correction fixes a potentially insecure IAM policy that could allow unintended service delegation. Using the wrong service principal (sns.amazonaws.com instead of ssm.amazonaws.com) might have led to privilege escalation risks if exploited.

Diff

diff --git a/systems-manager/latest/userguide/monitoring-sns-notifications.md b/systems-manager/latest/userguide/monitoring-sns-notifications.md
index ec6f0f451..f0e27dcdb 100644
--- a//systems-manager/latest/userguide/monitoring-sns-notifications.md
+++ b//systems-manager/latest/userguide/monitoring-sns-notifications.md
@@ -264 +264 @@ For entities without administrator permissions, an administrator must grant the
-                        "iam:PassedToService": "sns.amazonaws.com"
+                        "iam:PassedToService": "ssm.amazonaws.com"