AWS systems-manager documentation change
Summary
Added note about consequences of removing `ssmmessages:OpenControlChannel` permissions
Security assessment
Documents operational security impact of permission changes but does not address a specific vulnerability. Highlights security implications of misconfiguration.
Diff
diff --git a/systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md b/systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md index b26babb20..0facb6ea3 100644 --- a//systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md +++ b//systems-manager/latest/userguide/getting-started-add-permissions-to-existing-profile.md @@ -16,0 +17,2 @@ Note the following information: + * If the `ssmmessages:OpenControlChannel` permission is removed from policies attached to your IAM instance profile or IAM service role,SSM Agent on the managed node loses connectivity to the Systems Manager service in the cloud. However, it can take up to 1 hour for a connection to be terminated after the permission is removed. This is the same behavior as when the IAM instance role or IAM service role is deleted. +