AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-10-25 · Documentation medium

File: systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.md

Summary

Added note about ssmmessages:OpenControlChannel permission requirements

Security assessment

Documents critical IAM permission dependencies and potential connectivity impacts. While security-related, this is preventive guidance rather than addressing an active vulnerability.

Diff

diff --git a/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.md b/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.md
index 00e3d3c5d..be5d0aa03 100644
--- a//systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.md
+++ b//systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.md
@@ -69,0 +70,6 @@ Systems Manager uses the `ssmmessages` endpoint for the following types of API o
+###### Note
+
+If the `ssmmessages:OpenControlChannel` permission is removed from policies attached to your IAM instance profile or IAM service role,SSM Agent on the managed node loses connectivity to the Systems Manager service in the cloud. However, it can take up to 1 hour for a connection to be terminated after the permission is removed. This is the same behavior as when the IAM instance role or IAM service role is deleted.
+
+Note that the `ssmmessages:OpenControlChannel` permission is included in the managed policy [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html), which is used in the instructions for [creating an IAM instance profile](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html#instance-profile-add-permissions) for EC2 instances and for [creating an IAM service role](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-service-role.html) for non-EC2 instances.
+