AWS systems-manager medium security documentation change
Summary
Corrected IAM policy condition from 'sns.amazonaws.com' to 'ssm.amazonaws.com' in SNS notification permissions example
Security assessment
The correction fixes a potentially insecure IAM policy that could allow unintended service delegation. Using the wrong service principal (sns.amazonaws.com instead of ssm.amazonaws.com) might have led to privilege escalation risks if exploited.
Diff
diff --git a/systems-manager/latest/userguide/monitoring-sns-notifications.md b/systems-manager/latest/userguide/monitoring-sns-notifications.md index ec6f0f451..f0e27dcdb 100644 --- a//systems-manager/latest/userguide/monitoring-sns-notifications.md +++ b//systems-manager/latest/userguide/monitoring-sns-notifications.md @@ -264 +264 @@ For entities without administrator permissions, an administrator must grant the - "iam:PassedToService": "sns.amazonaws.com" + "iam:PassedToService": "ssm.amazonaws.com"