AWS license-manager medium security documentation change
Summary
Added SSM permissions (GetCommandInvocation, SendCommand) to AWSLicenseManagerServiceRolePolicy for license asset discovery via SSM documents
Security assessment
The change explicitly adds new IAM permissions allowing License Manager to execute SSM commands on EC2 instances and managed instances. This directly impacts security posture by expanding the service role's privileges. The policy update note confirms this enables license asset discovery through SSM, which could expose security risks if misconfigured.
Diff
diff --git a/license-manager/latest/userguide/security-iam-awsmanpol.md b/license-manager/latest/userguide/security-iam-awsmanpol.md index 3aeb498aa..ba71a7aa8 100644 --- a//license-manager/latest/userguide/security-iam-awsmanpol.md +++ b//license-manager/latest/userguide/security-iam-awsmanpol.md @@ -36,0 +37,4 @@ Action | Resource ARN +`ssm:GetCommandInvocation` | `*` +`ssm:SendCommand` | `arn:aws:ec2:*:*:instance/*` +`ssm:SendCommand` | `arn:aws:ssm:*:*:managed-instance/*` +`ssm:SendCommand` | `arn:aws:ssm:*::document/AWSLicenseManager-*` @@ -212,0 +217 @@ Change | Description | Date +AWSLicenseManagerServiceRolePolicy – Update to an existing policy | License Manager added permissions to discover license assets on instances by running AWS-Managed SSM documents. | November 19, 2025