AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-10-25 · Documentation medium

File: systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md

Summary

Added note about consequences of removing `ssmmessages:OpenControlChannel` permissions

Security assessment

Documents operational security impact of permission changes but does not address a specific vulnerability. Highlights security implications of misconfiguration.

Diff

diff --git a/systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md b/systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md
index b26babb20..0facb6ea3 100644
--- a//systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md
+++ b//systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md
@@ -16,0 +17,2 @@ Note the following information:
+  * If the `ssmmessages:OpenControlChannel` permission is removed from policies attached to your IAM instance profile or IAM service role,SSM Agent on the managed node loses connectivity to the Systems Manager service in the cloud. However, it can take up to 1 hour for a connection to be terminated after the permission is removed. This is the same behavior as when the IAM instance role or IAM service role is deleted.
+