AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2026-02-13 · Documentation medium

File: systems-manager/latest/userguide/diagnosing-ec2-category-types.md

Summary

Added new problem category for Network ACL configuration with details on required inbound/outbound rules for Systems Manager traffic

Security assessment

Documents security configuration requirements for NACLs to allow Systems Manager communication, but doesn't address a specific vulnerability

Diff

diff --git a/systems-manager/latest/userguide/diagnosing-ec2-category-types.md b/systems-manager/latest/userguide/diagnosing-ec2-category-types.md
index 6bb899849..3f5c09547 100644
--- a//systems-manager/latest/userguide/diagnosing-ec2-category-types.md
+++ b//systems-manager/latest/userguide/diagnosing-ec2-category-types.md
@@ -5 +5 @@
-Problem category: Security group configuration and HTTPS communicationsProblem category: DNS or DNS host name configurationProblem category: VPC endpoint configuration
+Problem category: Security group configuration and HTTPS communicationsProblem category: DNS or DNS host name configurationProblem category: VPC endpoint configurationProblem category: Network ACL configuration
@@ -24,0 +25,2 @@ The diagnosis process examines each group of EC2 instances at once according to
+  * Problem category: Network ACL configuration
+
@@ -101,0 +104,28 @@ For more information, see [Verify your VPC configuration](./troubleshooting-ssm-
+## Problem category: Network ACL configuration
+
+A diagnosis operation might find that network access control lists (NACLs) aren't properly configured for the VPC, blocking necessary traffic for Systems Manager communication. NACLs are stateless, so both outbound and inbound rules must permit Systems Manager traffic.
+
+Systems Manager can identify NACL configuration issues and provide guidance for manual remediation.
+
+###### Supported issue types
+
+  * **Instance subnet NACL** : Outbound traffic is not allowed on port 443 to Systems Manager endpoints
+
+  * **Instance subnet NACL** : Inbound traffic is not allowed on ephemeral ports (1024-65535) for Systems Manager responses
+
+
+
+
+###### Diagnosable issue types
+
+Systems Manager can diagnose the following NACL configuration issues, but manual remediation is required:
+
+  * An instance's subnet NACL blocks outbound HTTPS (port 443) traffic to Systems Manager endpoints
+
+  * An instance's subnet NACL blocks inbound ephemeral port traffic (1024-65535) required for Systems Manager responses
+
+
+
+
+For more information, see [Troubleshooting SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/troubleshooting-ssm-agent.html), and [Custom network ACLs for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/custom-network-acl.html#nacl-ephemeral-ports).
+