AWS systems-manager high security documentation change
Summary
Updated permissions description for AWSSystemsManagerJustInTimeAccessTokenPolicy, removing GUI Connect references and modifying cryptographic operations
Security assessment
Changes modify encryption-related permissions (KMS grants/key generation) and streamline just-in-time access controls. Removal of GUI Connect-specific restrictions could impact session security controls. Directly affects authentication mechanisms and cryptographic operations.
Diff
diff --git a/systems-manager/latest/userguide/security-iam-awsmanpol.md b/systems-manager/latest/userguide/security-iam-awsmanpol.md index dfb573405..167fc17b0 100644 --- a//systems-manager/latest/userguide/security-iam-awsmanpol.md +++ b//systems-manager/latest/userguide/security-iam-awsmanpol.md @@ -1110 +1110 @@ To view more details about the policy, including the latest version of the JSON -The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` provides permissions for users to establish secure connections to Amazon EC2 instances and managed instances through Session Manager and Systems Manager GUI Connect RDP connections as part of just-in-time node access workflows. +The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` allows Systems Manager to generate access tokens used for just-in-time node access. @@ -1114 +1114 @@ You can attach `AWSSystemsManagerJustInTimeAccessTokenPolicy` to your IAM entiti -This policy grants contributor permissions that allow users to start and manage secure sessions, establish RDP connections, and perform necessary cryptographic operations for just-in-time node access. +This policy grants administrative permissions that allow Systems Manager to start sessions and generate access tokens for just-in-time node access. @@ -1120 +1120 @@ This policy includes the following permissions. - * `ssm` – Allows principals to start Session Manager sessions on Amazon EC2 instances and managed instances using the SSM-SessionManagerRunShell document. Also allows terminating and resuming sessions, retrieving command invocation details, and sending commands to instances for SSO user setup when called through Systems Manager GUI Connect. Additionally allows starting port forwarding sessions for RDP connections when called through Systems Manager GUI Connect. + * `ssm` – Allows principals to send commands, list command invocations, and start, resume, and end Session Manager sessions. @@ -1122 +1122 @@ This policy includes the following permissions. - * `ssmmessages` – Allows principals to open data channels for secure communication during Session Manager sessions. + * `ssm-guiconnect` – Allows principals to start, describe, and end Systems Manager GUI Connect RDP connections. @@ -1124 +1124 @@ This policy includes the following permissions. - * `ssm-guiconnect` – Allows principals to start, get details about, and cancel Systems Manager GUI Connect RDP connections to instances. + * `kms` – Allows principals to create grants and generate key data. @@ -1126 +1126 @@ This policy includes the following permissions. - * `kms` – Allows principals to generate data keys for Session Manager encryption and create grants for RDP connections. These permissions are restricted to AWS KMS keys tagged with `SystemsManagerJustInTimeNodeAccessManaged=true`. Grant creation is further restricted to be used only through the Systems Manager GUI Connect service. + * `sso` – Allows principals to list directory associations. @@ -1128,3 +1128 @@ This policy includes the following permissions. - * `sso` – Allows principals to list directory associations when called through Systems Manager GUI Connect. This is required for RDP SSO user setup. - - * `identitystore` – Allows principals to describe users in the identity store when called through Systems Manager GUI Connect. This is required for RDP SSO user setup. + * `identitystore` – Allows principals to describe a user. @@ -1277 +1274,0 @@ Change | Description | Date -AWSSystemsManagerJustInTimeAccessTokenPolicy – Update to an existing policy | Systems Manager updated the managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy`. The statement (`SID`) `TerminateAndResumeSession` has been renamed to `TerminateAndResumeSessionAndOpenDataChannel` and now includes the `ssmmessages:OpenDataChannel` action, combining session management and data channel permissions into a single statement. | September 25, 2025