AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-07-16 · Documentation low

File: systems-manager/latest/userguide/sysman-paramstore-access.md

Summary

Added JSON formatting blocks and modified parameter ARNs by removing account IDs in resource examples

Security assessment

Changes involve formatting improvements (adding JSON sections) and updating ARN examples to remove account IDs. While ARN format corrections prevent potential misconfigurations, there's no explicit evidence of addressing a security vulnerability.

Diff

diff --git a/systems-manager/latest/userguide/sysman-paramstore-access.md b/systems-manager/latest/userguide/sysman-paramstore-access.md
index 81d2ef62f..a9ac85baf 100644
--- a//systems-manager/latest/userguide/sysman-paramstore-access.md
+++ b//systems-manager/latest/userguide/sysman-paramstore-access.md
@@ -31,0 +32,6 @@ When using IAM policies to restrict access to Systems Manager parameters, we rec
+JSON
+    
+
+****
+    
+    
@@ -59,0 +67,6 @@ For trusted administrators, you can provide access to all Systems Manager parame
+JSON
+    
+
+****
+    
+    
@@ -75 +88 @@ For trusted administrators, you can provide access to all Systems Manager parame
-                "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/dbserver-prod-*"
+                "Resource": "arn:aws:ssm:us-east-2::parameter/dbserver-prod-*"
@@ -94,0 +109,6 @@ If you want all API operations retrieving parameter values to have the same beha
+JSON
+    
+
+****
+    
+    
@@ -110,0 +132,6 @@ The following example shows how to deny some commands while allowing the user to
+JSON
+    
+
+****
+    
+    
@@ -133 +160 @@ The following example shows how to deny some commands while allowing the user to
-                "Resource": "arn:aws:ssm:us-east-2:123456789012:parameter/prod-*"
+                "Resource": "arn:aws:ssm:us-east-2::parameter/prod-*"
@@ -158,0 +187,6 @@ Instance policies, like in the following example, are assigned to the instance r
+JSON
+    
+
+****
+    
+    
@@ -169 +203 @@ Instance policies, like in the following example, are assigned to the instance r
-                    "arn:aws:ssm:us-east-2:123456789012:parameter/prod-*"
+                    "arn:aws:ssm:us-east-2::parameter/prod-*"
@@ -178 +212 @@ Instance policies, like in the following example, are assigned to the instance r
-                    "arn:aws:kms:us-east-2:123456789012:key/4914ec06-e888-4ea5-a371-5b88eEXAMPLE"
+                    "arn:aws:kms:us-east-2::key/4914ec06-e888-4ea5-a371-5b88eEXAMPLE"
@@ -189,0 +225,6 @@ When using a customer managed key, the IAM policy that grants a user access to a
+JSON
+    
+
+****
+    
+    
@@ -210 +251 @@ When using a customer managed key, the IAM policy that grants a user access to a
-                    "kms:GenerateDataKey"  ![Footnote callout 1 to explain a line in a JSON policy](/images/systems-manager/latest/userguide/images/callout01.png)
+                    "kms:GenerateDataKey"  
@@ -226,0 +269,6 @@ You can locate the Amazon Resource Name (ARN) of the default key in the AWS KMS
+JSON
+    
+
+****
+    
+