AWS Security ChangesHomeSearch

AWS license-manager medium security documentation change

Service: license-manager · 2025-11-22 · Security-related medium

File: license-manager/latest/userguide/security-iam-awsmanpol.md

Summary

Added SSM permissions (GetCommandInvocation, SendCommand) to AWSLicenseManagerServiceRolePolicy for license asset discovery via SSM documents

Security assessment

The change explicitly adds new IAM permissions allowing License Manager to execute SSM commands on EC2 instances and managed instances. This directly impacts security posture by expanding the service role's privileges. The policy update note confirms this enables license asset discovery through SSM, which could expose security risks if misconfigured.

Diff

diff --git a/license-manager/latest/userguide/security-iam-awsmanpol.md b/license-manager/latest/userguide/security-iam-awsmanpol.md
index 3aeb498aa..ba71a7aa8 100644
--- a//license-manager/latest/userguide/security-iam-awsmanpol.md
+++ b//license-manager/latest/userguide/security-iam-awsmanpol.md
@@ -36,0 +37,4 @@ Action | Resource ARN
+`ssm:GetCommandInvocation` | `*`  
+`ssm:SendCommand` | `arn:aws:ec2:*:*:instance/*`  
+`ssm:SendCommand` | `arn:aws:ssm:*:*:managed-instance/*`  
+`ssm:SendCommand` | `arn:aws:ssm:*::document/AWSLicenseManager-*`  
@@ -212,0 +217 @@ Change | Description | Date
+AWSLicenseManagerServiceRolePolicy – Update to an existing policy | License Manager added permissions to discover license assets on instances by running AWS-Managed SSM documents. | November 19, 2025