AWS systems-manager documentation change
Summary
Updated policy examples with improved structure, added 'Read and describe individual parameters' section, modified action/resource references, and standardized example formatting
Security assessment
Changes add new IAM policy examples and improve existing ones, which helps users implement least-privilege access. However, there's no evidence of addressing a specific security vulnerability. The resource ARN changes from specific instances to generic patterns demonstrate security best practices but don't indicate a resolved vulnerability.
Diff
diff --git a/systems-manager/latest/userguide/security_iam_id-based-policy-examples.md b/systems-manager/latest/userguide/security_iam_id-based-policy-examples.md index 500f6eb9a..f4154c8bd 100644 --- a//systems-manager/latest/userguide/security_iam_id-based-policy-examples.md +++ b//systems-manager/latest/userguide/security_iam_id-based-policy-examples.md @@ -5 +5 @@ -Policy best practicesUsing the consoleAllow users to view their own permissionsCustomer managed policy examplesViewing Systems Manager documents based on tags +Policy best practicesUsing the consoleExample: Permission to allow users to view their own permissionsExample: Permission to read and describe individual parametersCustomer managed policy examplesViewing Systems Manager documents based on tags @@ -12,0 +13,6 @@ The following is an example of a permissions policy that allows a user to delete +JSON + + +**** + + @@ -35 +42,3 @@ To learn how to create an IAM identity-based policy using these example JSON Pol - * Using the Systems Manager console + * Example: Permission to using the Systems Manager console + + * Example: Permission to allow users to view their own permissions @@ -37 +46 @@ To learn how to create an IAM identity-based policy using these example JSON Pol - * Allow users to view their own permissions + * Example: Permission to read and describe individual parameters @@ -67 +76 @@ For more information about best practices in IAM, see [Security best practices i -## Using the Systems Manager console +## Example: Permission to using the Systems Manager console @@ -77 +86 @@ To ensure that users and roles can still use the Systems Manager console, also a -## Allow users to view their own permissions +## Example: Permission to allow users to view their own permissions @@ -114,0 +124,21 @@ This example shows how you might create a policy that allows IAM users to view t +## Example: Permission to read and describe individual parameters + +###### Example Read and describe one parameter + +You can grant access to a parameter by attaching the following policy to an identity. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ssm:GetParameter", + "ssm:DescribeParameters" + ], + "Resource": "parameter-ARN" + } + ] + } + @@ -119 +149 @@ You can create standalone policies that you administer in your own AWS account. -The following examples of user policies grant permissions for various Systems Manager actions. Use them to limit the Systems Manager access for your IAM entities (users and roles). These policies work when performing actions in the Systems Manager API, AWS SDKs, or the AWS CLI. For users who use the console, you need to grant additional permissions specific to the console. For more information, see Using the Systems Manager console. +The following examples of user policies grant permissions for various Systems Manager actions. Use them to limit the Systems Manager access for your IAM entities (users and roles). These policies work when performing actions in the Systems Manager API, AWS SDKs, or the AWS CLI. For users who use the console, you need to grant additional permissions specific to the console. For more information, see Example: Permission to using the Systems Manager console. @@ -137,0 +168,6 @@ The following example grants permissions to perform Systems Manager operations o +JSON + + +**** + + @@ -157,0 +195,6 @@ The following example grants permissions to list all document names that begin w +JSON + + +**** + + @@ -205,0 +250,6 @@ If you want to give a user permission to use this document to send commands on a +JSON + + +**** + + @@ -227,3 +277,3 @@ If you want to give a user permission to use this document to send commands on a - "arn:aws:ec2:us-east-2:aws-account-ID:instance/i-02573cafcfEXAMPLE", - "arn:aws:ec2:us-east-2:aws-account-ID:instance/i-0471e04240EXAMPLE", - "arn:aws:ec2:us-east-2:aws-account-ID:instance/i-07782c72faEXAMPLE", + "arn:aws:ec2:us-east-2:aws-account-ID:instance/", + "arn:aws:ec2:us-east-2:aws-account-ID:instance/", + "arn:aws:ec2:us-east-2:aws-account-ID:instance/", @@ -279,0 +331,6 @@ You can use conditions in your identity-based policy to control access to System +JSON + + +**** + + @@ -287 +344 @@ You can use conditions in your identity-based policy to control access to System - "Action": "ssm:ListDocuments", + "Action": ":ListDocuments", @@ -293,2 +350,2 @@ You can use conditions in your identity-based policy to control access to System - "Action": "ssm:GetDocument", - "Resource": "arn:aws:ssm:*:*:document/*", + "Action": ":GetDocument", + "Resource": "arn:aws::*:*:document/*", @@ -296 +353 @@ You can use conditions in your identity-based policy to control access to System - "StringEquals": {"ssm:ResourceTag/Owner": "${aws:username}"} + "StringEquals": {":ResourceTag/Owner": "${aws:username}"}