AWS systems-manager documentation change
Summary
Clarified requirement to remove StartSession API action permission for JIT access enforcement.
Security assessment
Specifying the exact IAM permission to remove enhances security guidance, ensuring proper JIT access implementation without directly addressing a vulnerability.
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md index 717dff31f..3927404db 100644 --- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md +++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md @@ -13 +13 @@ Next you'll create _approval policies_ to determine when node connections requir -Setting up just-in-time node access doesn't affect existing IAM policies or preferences you've configured for Session Manager. You must remove permissions to Session Manager actions such as `StartSession` from your IAM policies to ensure that only just-in-time node access is used when users attempt to connect to your nodes. After you set up just-in-time node access, we recommend testing your approval policies with a subset of users and nodes to verify your policies are working as desired before removing permissions to Session Manager. +Setting up just-in-time node access doesn't affect existing IAM policies or preferences you've configured for Session Manager. You must remove permission to the `StartSession` API action from your IAM policies to ensure that only just-in-time node access is used when users attempt to connect to your nodes. After you set up just-in-time node access, we recommend testing your approval policies with a subset of users and nodes to verify your policies are working as desired before removing permissions to Session Manager.