AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-10-25 · Documentation medium

File: systems-manager/latest/userguide/getting-started-create-iam-instance-profile.md

Summary

Added same note about `ssmmessages:OpenControlChannel` permissions impact

Security assessment

Reinforces security best practices for required permissions but does not fix a security flaw.

Diff

diff --git a/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.md b/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.md
index 0abac154f..7b74e068a 100644
--- a//systems-manager/latest/userguide/getting-started-create-iam-instance-profile.md
+++ b//systems-manager/latest/userguide/getting-started-create-iam-instance-profile.md
@@ -35,0 +36,4 @@ Use the following procedure to create a custom IAM role with a policy that provi
+###### Note
+
+If the `ssmmessages:OpenControlChannel` permission is removed from policies attached to your IAM instance profile or IAM service role,SSM Agent on the managed node loses connectivity to the Systems Manager service in the cloud. However, it can take up to 1 hour for a connection to be terminated after the permission is removed. This is the same behavior as when the IAM instance role or IAM service role is deleted.
+