AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-08-16 · Documentation low

File: systems-manager/latest/userguide/setup-instance-permissions.md

Summary

Converted numbered footnotes into explanatory notes and clarified IAM policy requirements for S3 encryption and cross-account access

Security assessment

The changes improve documentation about security-sensitive IAM policy configurations (encryption requirements, cross-account access controls) but do not indicate a specific security vulnerability being patched. Enhances guidance for secure S3 bucket usage with Systems Manager.

Diff

diff --git a/systems-manager/latest/userguide/setup-instance-permissions.md b/systems-manager/latest/userguide/setup-instance-permissions.md
index 1feefed7b..62faa4988 100644
--- a//systems-manager/latest/userguide/setup-instance-permissions.md
+++ b//systems-manager/latest/userguide/setup-instance-permissions.md
@@ -245 +245,3 @@ JSON
-**1** The first `Statement` element is required only if you're using a VPC endpoint.
+###### Note
+
+The first `Statement` element is required only if you're using a VPC endpoint.
@@ -247 +249 @@ JSON
-**2** The second `Statement` element is required only if you're using an S3 bucket that you created to use in your Systems Manager operations.
+The second `Statement` element is required only if you're using an S3 bucket that you created to use in your Systems Manager operations.
@@ -249 +251 @@ JSON
-**3** The `PutObjectAcl` access control list permission is required only if you plan to support cross-account access to S3 buckets in other accounts.
+The `PutObjectAcl` access control list permission is required only if you plan to support cross-account access to S3 buckets in other accounts.
@@ -251 +253 @@ JSON
-**4** The `GetEncryptionConfiguration` element is required if your S3 bucket is configured to use encryption.
+The `GetEncryptionConfiguration` element is required if your S3 bucket is configured to use encryption.
@@ -253 +255 @@ JSON
-**5** If your S3 bucket is configured to use encryption, then the S3 bucket root (for example, `arn:aws:s3:::amzn-s3-demo-bucket`) must be listed in the **Resource** section. Your user, group, or role must be configured with access to the root bucket.
+If your S3 bucket is configured to use encryption, then the S3 bucket root (for example, `arn:aws:s3:::amzn-s3-demo-bucket`) must be listed in the **Resource** section. Your user, group, or role must be configured with access to the root bucket.