AWS systems-manager high security documentation change
Summary
Expanded documentation for AWSSystemsManagerJustInTimeAccessTokenPolicy with detailed security controls
Security assessment
Significantly enhances documentation of security features including session encryption (KMS data keys), RDP SSO requirements, and granular permission restrictions. Adds explicit security controls for just-in-time access workflows including cryptographic operations and service-specific guardrails (e.g., KMS key tagging requirements).
Diff
diff --git a/systems-manager/latest/userguide/security-iam-awsmanpol.md b/systems-manager/latest/userguide/security-iam-awsmanpol.md index 167fc17b0..dfb573405 100644 --- a//systems-manager/latest/userguide/security-iam-awsmanpol.md +++ b//systems-manager/latest/userguide/security-iam-awsmanpol.md @@ -1110 +1110 @@ To view more details about the policy, including the latest version of the JSON -The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` allows Systems Manager to generate access tokens used for just-in-time node access. +The managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy` provides permissions for users to establish secure connections to Amazon EC2 instances and managed instances through Session Manager and Systems Manager GUI Connect RDP connections as part of just-in-time node access workflows. @@ -1114 +1114 @@ You can attach `AWSSystemsManagerJustInTimeAccessTokenPolicy` to your IAM entiti -This policy grants administrative permissions that allow Systems Manager to start sessions and generate access tokens for just-in-time node access. +This policy grants contributor permissions that allow users to start and manage secure sessions, establish RDP connections, and perform necessary cryptographic operations for just-in-time node access. @@ -1120 +1120 @@ This policy includes the following permissions. - * `ssm` – Allows principals to send commands, list command invocations, and start, resume, and end Session Manager sessions. + * `ssm` – Allows principals to start Session Manager sessions on Amazon EC2 instances and managed instances using the SSM-SessionManagerRunShell document. Also allows terminating and resuming sessions, retrieving command invocation details, and sending commands to instances for SSO user setup when called through Systems Manager GUI Connect. Additionally allows starting port forwarding sessions for RDP connections when called through Systems Manager GUI Connect. @@ -1122 +1122 @@ This policy includes the following permissions. - * `ssm-guiconnect` – Allows principals to start, describe, and end Systems Manager GUI Connect RDP connections. + * `ssmmessages` – Allows principals to open data channels for secure communication during Session Manager sessions. @@ -1124 +1124 @@ This policy includes the following permissions. - * `kms` – Allows principals to create grants and generate key data. + * `ssm-guiconnect` – Allows principals to start, get details about, and cancel Systems Manager GUI Connect RDP connections to instances. @@ -1126 +1126 @@ This policy includes the following permissions. - * `sso` – Allows principals to list directory associations. + * `kms` – Allows principals to generate data keys for Session Manager encryption and create grants for RDP connections. These permissions are restricted to AWS KMS keys tagged with `SystemsManagerJustInTimeNodeAccessManaged=true`. Grant creation is further restricted to be used only through the Systems Manager GUI Connect service. @@ -1128 +1128,3 @@ This policy includes the following permissions. - * `identitystore` – Allows principals to describe a user. + * `sso` – Allows principals to list directory associations when called through Systems Manager GUI Connect. This is required for RDP SSO user setup. + + * `identitystore` – Allows principals to describe users in the identity store when called through Systems Manager GUI Connect. This is required for RDP SSO user setup. @@ -1274,0 +1277 @@ Change | Description | Date +AWSSystemsManagerJustInTimeAccessTokenPolicy – Update to an existing policy | Systems Manager updated the managed policy `AWSSystemsManagerJustInTimeAccessTokenPolicy`. The statement (`SID`) `TerminateAndResumeSession` has been renamed to `TerminateAndResumeSessionAndOpenDataChannel` and now includes the `ssmmessages:OpenDataChannel` action, combining session management and data channel permissions into a single statement. | September 25, 2025