AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-08-22 · Documentation medium

File: systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md

Summary

Clarified requirement to remove StartSession API action permission for JIT access enforcement.

Security assessment

Specifying the exact IAM permission to remove enhances security guidance, ensuring proper JIT access implementation without directly addressing a vulnerability.

Diff

diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md
index 717dff31f..3927404db 100644
--- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md
+++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-setting-up.md
@@ -13 +13 @@ Next you'll create _approval policies_ to determine when node connections requir
-Setting up just-in-time node access doesn't affect existing IAM policies or preferences you've configured for Session Manager. You must remove permissions to Session Manager actions such as `StartSession` from your IAM policies to ensure that only just-in-time node access is used when users attempt to connect to your nodes. After you set up just-in-time node access, we recommend testing your approval policies with a subset of users and nodes to verify your policies are working as desired before removing permissions to Session Manager.
+Setting up just-in-time node access doesn't affect existing IAM policies or preferences you've configured for Session Manager. You must remove permission to the `StartSession` API action from your IAM policies to ensure that only just-in-time node access is used when users attempt to connect to your nodes. After you set up just-in-time node access, we recommend testing your approval policies with a subset of users and nodes to verify your policies are working as desired before removing permissions to Session Manager.