AWS Security ChangesHomeSearch

AWS systems-manager high security documentation change

Service: systems-manager · 2025-08-28 · Security-related high

File: systems-manager/latest/userguide/security-iam-awsmanpol.md

Summary

Removed AWSQuickSetupFullAccess policy documentation and updated AWSSystemsManagerJustInTimeAccessServicePolicy to add automation execution tagging permissions

Security assessment

The removal of AWSQuickSetupFullAccess policy documentation suggests deprecation of a broad administrative access policy, reducing overprivileged access risks. The JustInTime policy update explicitly adds tagging capabilities to enable granular permission scoping ('SystemsManagerJustInTimeNodeAccessManaged=true' tag), which is a security control improvement.

Diff

diff --git a/systems-manager/latest/userguide/security-iam-awsmanpol.md b/systems-manager/latest/userguide/security-iam-awsmanpol.md
index da798f23a..4e7a52481 100644
--- a//systems-manager/latest/userguide/security-iam-awsmanpol.md
+++ b//systems-manager/latest/userguide/security-iam-awsmanpol.md
@@ -5 +5 @@
-AmazonSSMServiceRolePolicyAmazonSSMAutomationRoleAmazonSSMReadOnlyAccessAWSSystemsManagerOpsDataSyncServiceRolePolicyAmazonSSMManagedEC2InstanceDefaultPolicySSMQuickSetupRolePolicyAWSQuickSetupDeploymentRolePolicyAWSQuickSetupPatchPolicyDeploymentRolePolicyAWSQuickSetupPatchPolicyBaselineAccessAWSSystemsManagerEnableExplorerExecutionPolicyAWSSystemsManagerEnableConfigRecordingExecutionPolicyAWSQuickSetupDevOpsGuruPermissionsBoundaryAWSQuickSetupDistributorPermissionsBoundaryAWSQuickSetupSSMHostMgmtPermissionsBoundaryAWSQuickSetupPatchPolicyPermissionsBoundaryAWSQuickSetupSchedulerPermissionsBoundaryAWSQuickSetupCFGCPacksPermissionsBoundaryAWSQuickSetupStartStopInstancesExecutionPolicyAWSQuickSetupStartSSMAssociationsExecutionPolicyAWS-SSM-DiagnosisAutomation-AdministrationRolePolicyAWS-SSM-DiagnosisAutomation-ExecutionRolePolicyAWS-SSM-RemediationAutomation-AdministrationRolePolicyAWS-SSM-RemediationAutomation-ExecutionRolePolicyAWSQuickSetupSSMManageResourcesExecutionPolicyAWSQuickSetupSSMLifecycleManagementExecutionPolicyAWSQuickSetupSSMDeploymentRolePolicyAWSQuickSetupSSMDeploymentS3BucketRolePolicyAWSQuickSetupEnableDHMCExecutionPolicyAWSQuickSetupEnableAREXExecutionPolicyAWSQuickSetupManagedInstanceProfileExecutionPolicyAWSQuickSetupFullAccessAWSQuickSetupReadOnlyAccessAWSQuickSetupManageJITNAResourcesExecutionPolicyAWSQuickSetupJITNADeploymentRolePolicyAWSSystemsManagerJustInTimeAccessServicePolicyAWSSystemsManagerJustInTimeAccessTokenPolicyAWSSystemsManagerJustInTimeAccessTokenSessionPolicyAWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicyAWSSystemsManagerNotificationsServicePolicyAWS-SSM-Automation-DiagnosisBucketPolicyAWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicyAWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicyPolicy updatesAdditional managed policies for Systems Manager
+AmazonSSMServiceRolePolicyAmazonSSMAutomationRoleAmazonSSMReadOnlyAccessAWSSystemsManagerOpsDataSyncServiceRolePolicyAmazonSSMManagedEC2InstanceDefaultPolicySSMQuickSetupRolePolicyAWSQuickSetupDeploymentRolePolicyAWSQuickSetupPatchPolicyDeploymentRolePolicyAWSQuickSetupPatchPolicyBaselineAccessAWSSystemsManagerEnableExplorerExecutionPolicyAWSSystemsManagerEnableConfigRecordingExecutionPolicyAWSQuickSetupDevOpsGuruPermissionsBoundaryAWSQuickSetupDistributorPermissionsBoundaryAWSQuickSetupSSMHostMgmtPermissionsBoundaryAWSQuickSetupPatchPolicyPermissionsBoundaryAWSQuickSetupSchedulerPermissionsBoundaryAWSQuickSetupCFGCPacksPermissionsBoundaryAWSQuickSetupStartStopInstancesExecutionPolicyAWSQuickSetupStartSSMAssociationsExecutionPolicyAWS-SSM-DiagnosisAutomation-AdministrationRolePolicyAWS-SSM-DiagnosisAutomation-ExecutionRolePolicyAWS-SSM-RemediationAutomation-AdministrationRolePolicyAWS-SSM-RemediationAutomation-ExecutionRolePolicyAWSQuickSetupSSMManageResourcesExecutionPolicyAWSQuickSetupSSMLifecycleManagementExecutionPolicyAWSQuickSetupSSMDeploymentRolePolicyAWSQuickSetupSSMDeploymentS3BucketRolePolicyAWSQuickSetupEnableDHMCExecutionPolicyAWSQuickSetupEnableAREXExecutionPolicyAWSQuickSetupManagedInstanceProfileExecutionPolicyAWSQuickSetupReadOnlyAccessAWSQuickSetupManageJITNAResourcesExecutionPolicyAWSQuickSetupJITNADeploymentRolePolicyAWSSystemsManagerJustInTimeAccessServicePolicyAWSSystemsManagerJustInTimeAccessTokenPolicyAWSSystemsManagerJustInTimeAccessTokenSessionPolicyAWSSystemsManagerJustInTimeNodeAccessRolePropagationPolicyAWSSystemsManagerNotificationsServicePolicyAWS-SSM-Automation-DiagnosisBucketPolicyAWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicyAWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicyPolicy updatesAdditional managed policies for Systems Manager
@@ -79,2 +78,0 @@ For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM
-  * AWS managed policy: AWSQuickSetupFullAccess 
-
@@ -1035,33 +1032,0 @@ To view more details about the policy, including the latest version of the JSON
-## AWS managed policy: AWSQuickSetupFullAccess 
-
-This policy grants administrative permissions that allow full access to AWS Systems Manager Quick Setup API actions and data in the AWS Management Console and AWS SDKs, as well as limited access to other AWS service resources that are required for Quick Setup operations.
-
-You can attach the `AWSQuickSetupFullAccess` policy to your IAM identities.
-
-**Permissions details**
-
-This policy includes the following permissions.
-
-  * `ssm` – Allows principals to enable Explorer; to perform resource data sync operations in State Manager; and to perform operations using SSM Command documents and Automation runbooks.
-
-Explorer, State Manager, Documents, and Automation are all tools in Systems Manager.
-
-  * `cloudformation` – Allows principals to perform the AWS CloudFormation operations that are necessary for provisioning resources across AWS Regions and AWS accounts.
-
-  * `ec2` – Allows principals to select the necessary parameters for a given configuration, and to provide validation in the AWS Management Console.
-
-  * `iam` – Allows principals to create the required service roles and service-linked roles for Quick Setup operations.
-
-  * `organizations` – Allows principals to read the status of accounts in an AWS Organizations organization; to retrieve an organization's structure; to enable trusted access; and to register a delegated administrator account from the management account.
-
-  * `resource-groups` – Allows principals to select the necessary parameters for a given configuration, and to provide validation in the AWS Management Console.
-
-  * `s3` – Allows principals to select the necessary parameters for a given configuration, and to provide validation in the AWS Management Console.
-
-  * `ssm-quicksetup` – Allows principals to perform read-only actions in Quick Setup.
-
-
-
-
-To view more details about the policy, including the latest version of the JSON policy document, see [AWSQuickSetupFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSQuickSetupFullAccess.html) in the _AWS Managed Policy Reference Guide_.
-
@@ -1137 +1102 @@ To view more details about the policy, including the latest version of the JSON
-The managed policy `AWSSystemsManagerJustInTimeAccessServicePolicy` provides permissions to AWS resources managed or used by the Systems Manager just-in-time node access feature.
+The managed policy `AWSSystemsManagerJustInTimeAccessServicePolicy` provides access to AWS resources managed or used by the AWS Systems Manager just-in-time access framework. This policy update adds automation execution tagging permissions to enable customers to scope down operator permissions to specific tags.
@@ -1147 +1112 @@ This policy includes the following permissions.
-  * `ssm` – Allows principals to create, describe, and update OpsItems, describe sessions and list tags for managed nodes.
+  * `ssm` – Allows principals to create and manage OpsItems, add tags to OpsItems and automation executions, get and update OpsItems, retrieve and describe documents, describe OpsItems and sessions, list documents and tags for managed instances.
@@ -1151 +1116 @@ This policy includes the following permissions.
-  * `identitystore` – Allows to get user and group IDs, describe users, and list group membership.
+  * `identitystore` – Allows principals to get user and group IDs, describe users, and list group membership.
@@ -1332,0 +1298 @@ Change | Description | Date
+AWSSystemsManagerJustInTimeAccessServicePolicy – Updated managed policy |  Systems Manager updated the managed policy to add automation execution tagging permissions. The service needs to tag automation executions with `SystemsManagerJustInTimeNodeAccessManaged=true` tag to enable customers to scope down operator permissions to specific tags. | August 28, 2025  
@@ -1377 +1342,0 @@ AWSQuickSetupManagedInstanceProfileExecutionPolicy – New policy |  Systems Man
-AWSQuickSetupFullAccess – New policy | Systems Manager added a new policy to allow Entities full access to AWS Systems Manager Quick Setup API actions and data in the AWS Management Console and AWS SDKs, as well as limited access to other AWS service resources that are required for Quick Setup operations. | November 21, 2024