AWS systems-manager documentation change
Summary
Converted numbered footnotes into explanatory notes and clarified IAM policy requirements for S3 encryption and cross-account access
Security assessment
The changes improve documentation about security-sensitive IAM policy configurations (encryption requirements, cross-account access controls) but do not indicate a specific security vulnerability being patched. Enhances guidance for secure S3 bucket usage with Systems Manager.
Diff
diff --git a/systems-manager/latest/userguide/setup-instance-permissions.md b/systems-manager/latest/userguide/setup-instance-permissions.md index 1feefed7b..62faa4988 100644 --- a//systems-manager/latest/userguide/setup-instance-permissions.md +++ b//systems-manager/latest/userguide/setup-instance-permissions.md @@ -245 +245,3 @@ JSON -**1** The first `Statement` element is required only if you're using a VPC endpoint. +###### Note + +The first `Statement` element is required only if you're using a VPC endpoint. @@ -247 +249 @@ JSON -**2** The second `Statement` element is required only if you're using an S3 bucket that you created to use in your Systems Manager operations. +The second `Statement` element is required only if you're using an S3 bucket that you created to use in your Systems Manager operations. @@ -249 +251 @@ JSON -**3** The `PutObjectAcl` access control list permission is required only if you plan to support cross-account access to S3 buckets in other accounts. +The `PutObjectAcl` access control list permission is required only if you plan to support cross-account access to S3 buckets in other accounts. @@ -251 +253 @@ JSON -**4** The `GetEncryptionConfiguration` element is required if your S3 bucket is configured to use encryption. +The `GetEncryptionConfiguration` element is required if your S3 bucket is configured to use encryption. @@ -253 +255 @@ JSON -**5** If your S3 bucket is configured to use encryption, then the S3 bucket root (for example, `arn:aws:s3:::amzn-s3-demo-bucket`) must be listed in the **Resource** section. Your user, group, or role must be configured with access to the root bucket. +If your S3 bucket is configured to use encryption, then the S3 bucket root (for example, `arn:aws:s3:::amzn-s3-demo-bucket`) must be listed in the **Resource** section. Your user, group, or role must be configured with access to the root bucket.