AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-08-16 · Documentation medium

File: AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md

Summary

Added modify permissions and JSON code blocks in EC2 Instance Connect Endpoint policies

Security assessment

Expands documentation to include 'modify' permissions and policy examples for Instance Connect Endpoints. While modifying endpoints has security implications, there's no evidence this addresses a specific vulnerability.

Diff

diff --git a/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md b/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md
index 61e6f9522..b742b71ad 100644
--- a//AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md
+++ b//AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.md
@@ -17 +17 @@ The following example policies show how you can control the permissions that use
-  * Permissions to create, describe, and delete EC2 Instance Connect Endpoints
+  * Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints
@@ -26 +26 @@ The following example policies show how you can control the permissions that use
-## Permissions to create, describe, and delete EC2 Instance Connect Endpoints
+## Permissions to create, describe, modify, and delete EC2 Instance Connect Endpoints
@@ -28 +28 @@ The following example policies show how you can control the permissions that use
-To create an EC2 Instance Connect Endpoint, users require permissions for the following actions:
+To create and modify an EC2 Instance Connect Endpoint, users require permissions for the following actions:
@@ -35,0 +36,2 @@ To create an EC2 Instance Connect Endpoint, users require permissions for the fo
+  * `ec2:ModifyInstanceConnectEndpoint`
+
@@ -50 +52 @@ To describe and delete EC2 Instance Connect Endpoints, users require permissions
-You can create a policy that grants permission to create, describe, and delete EC2 Instance Connect Endpoints in all subnets. Alternatively, you can restrict actions for specified subnets only by specifying the subnet ARNs as the allowed `Resource` or by using the `ec2:SubnetID` condition key. You can also use the `aws:ResourceTag` condition key to explicitly allow or deny endpoint creation with certain tags. For more information, see [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the _IAM User Guide_.
+You can create a policy that grants permission to create, describe, modify, and delete EC2 Instance Connect Endpoints in all subnets. Alternatively, you can restrict actions for specified subnets only by specifying the subnet ARNs as the allowed `Resource` or by using the `ec2:SubnetID` condition key. You can also use the `aws:ResourceTag` condition key to explicitly allow or deny endpoint creation with certain tags. For more information, see [Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the _IAM User Guide_.
@@ -54 +56,7 @@ You can create a policy that grants permission to create, describe, and delete E
-In the following example IAM policy, the `Resource` section grants permission to create and delete endpoints in all subnets, specified by the asterisk (`*`). The `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element.
+In the following example IAM policy, the `Resource` section grants permission to create, modify, and delete endpoints in all subnets, specified by the asterisk (`*`). The `ec2:Describe*` API actions do not support resource-level permissions. Therefore, the `*` wildcard is necessary in the `Resource` element.
+
+JSON
+    
+
+****
+    
@@ -128,0 +138,8 @@ This example evaluates if the connection to the instance is established on —po
+JSON
+
+JSON
+    
+
+****
+    
+    
@@ -176,0 +195,8 @@ This example evaluates if the connection to the instance is established on port
+JSON
+
+JSON
+    
+
+****
+    
+    
@@ -212,0 +240,6 @@ The following example IAM policy allows an IAM principal to connect to an instan
+JSON
+    
+
+****
+    
+