AWS systems-manager documentation change
Summary
Restructured content to focus on example scenarios and data perimeter policy considerations. Added links to service-specific guidance and AWS Samples repository.
Security assessment
The changes provide clearer guidance on configuring SCPs and VPC endpoint policies for data perimeters, which are security controls. However, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/systems-manager/latest/userguide/data-perimeters.md b/systems-manager/latest/userguide/data-perimeters.md index ab526b153..485e52151 100644 --- a//systems-manager/latest/userguide/data-perimeters.md +++ b//systems-manager/latest/userguide/data-perimeters.md @@ -5,2 +4,0 @@ -AWS service-owned resources accessed by Systems ManagerData perimeter policy considerations - @@ -11,7 +9 @@ A data perimeter is a set of preventive guardrails in your AWS environment that -For more information about data perimeters, see [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/). - -## AWS service-owned resources accessed by Systems Manager - -Systems Manager accesses the AWS service-owned resources listed below to provide functionality. - -### SSM document categories S3 bucket +###### Example scenario: SSM document categories S3 bucket @@ -59 +51 @@ Required permissions -## Data perimeter policy considerations +###### Data perimeter policy considerations @@ -63 +55 @@ When implementing data perimeter controls using Service Control Policies (SCPs) -For example, if you're using an SCP with `aws:ResourceOrgID` to restrict access to resources outside your organization, you would need to add an exception for the SSM Document categories bucket: +For example, if you're using an SCP with `aws:ResourceOrgID` to restrict access to resources outside your organization, you would need to add an exception for the SSM Document categories bucket. @@ -65 +57 @@ For example, if you're using an SCP with `aws:ResourceOrgID` to restrict access -This policy denies access to resources outside your organization, but includes an exception for any S3 bucket that matches the `ssm-document-categories*` pattern, allowing Systems Manager to continue functioning properly. +The policy would need to access to resources outside your organization but include an exception for the appropriate S3 buckets, allowing Systems Manager to continue functioning properly. @@ -68,0 +61,13 @@ Similarly, if you're using VPC endpoint policies to restrict S3 access, you woul +###### More information + +For more information about data perimeters in AWS, see the following topics: + + * [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/). + + * [Establish permissions guardrails using data perimeters](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_data-perimeters.html) in the _IAM User Guide_ + + * [Service-specific guidance: AWS Systems Manager](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_specific_guidance/ssm-specific-guidance.md) and [Service-owned resources](https://github.com/aws-samples/data-perimeter-policy-examples/blob/main/service_owned_resources.md) in the _AWS Samples_ repository on GitHub + + + +