AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-08-16 · Documentation low

File: systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md

Summary

Updated documentation formatting (added note sections), clarified KMS encryption requirements, and replaced placeholder account/region values with concrete examples

Security assessment

The changes emphasize KMS encryption configuration for session data and clarify permissions for secure session management. While this improves security documentation, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md b/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md
index 1c59a19fa..aab6f5370 100644
--- a//systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md
+++ b//systems-manager/latest/userguide/getting-started-restrict-access-quickstart.md
@@ -208 +208,3 @@ JSON
-**1** `SSM-SessionManagerRunShell` is the default name of the SSM document that Session Manager creates to store your session configuration preferences. You can create a custom Session document and specify it in this policy instead. You can also specify the AWS-provided document `AWS-StartSSHSession` for users who are starting sessions using SSH. For information about configuration steps needed to support sessions using SSH, see [(Optional) Allow and control permissions for SSH connections through Session Manager](./session-manager-getting-started-enable-ssh-connections.html).
+###### Note
+
+`SSM-SessionManagerRunShell` is the default name of the SSM document that Session Manager creates to store your session configuration preferences. You can create a custom Session document and specify it in this policy instead. You can also specify the AWS-provided document `AWS-StartSSHSession` for users who are starting sessions using SSH. For information about configuration steps needed to support sessions using SSH, see [(Optional) Allow and control permissions for SSH connections through Session Manager](./session-manager-getting-started-enable-ssh-connections.html).
@@ -210 +212 @@ JSON
-**2** The `kms:GenerateDataKey` permission enables the creation of a data encryption key that will be used to encrypt session data. If you will use AWS Key Management Service (AWS KMS) encryption for your session data, replace `key-name` with the Amazon Resource Name (ARN) of the KMS key you want to use, in the format `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE`. If you won't use KMS key encryption for your session data, remove the following content from the policy.
+The `kms:GenerateDataKey` permission enables the creation of a data encryption key that will be used to encrypt session data. If you will use AWS Key Management Service (AWS KMS) encryption for your session data, replace `key-name` with the Amazon Resource Name (ARN) of the KMS key you want to use, in the format `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-12345EXAMPLE`. If you won't use KMS key encryption for your session data, remove the following content from the policy.
@@ -223 +225 @@ For information about using AWS KMS for encrypting session data, see [Turn on KM
-**3** The permission for [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) is needed for cases where a user attempts to start a session from the Amazon EC2 console, but the SSM Agent must be updated to the minimum required version for Session Manager first. Run Command is used to send a command to the instance to update the agent.
+The permission for [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) is needed for cases where a user attempts to start a session from the Amazon EC2 console, but the SSM Agent must be updated to the minimum required version for Session Manager first. Run Command is used to send a command to the instance to update the agent.
@@ -346 +348 @@ JSON
-                    "arn:aws:ec2:region:account-id:instance/*"
+                    "arn:aws:ec2:us-east-1:111122223333:instance/*"
@@ -362 +364 @@ JSON
-                    "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell"
+                    "arn:aws:ssm:us-east-1:111122223333:document/SSM-SessionManagerRunShell"
@@ -466 +468,3 @@ JSON
-**1** The permission for [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) is needed for cases where a user attempts to start a session from the Amazon EC2 console, but a command must be sent to update SSM Agent first.
+###### Note
+
+The permission for [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) is needed for cases where a user attempts to start a session from the Amazon EC2 console, but a command must be sent to update SSM Agent first.