AWS cloud9 documentation change
Summary
Added documentation for the new `ssm:OpenDataChannel` action in AWSCloud9Administrator, AWSCloud9User, and AWSCloud9EnvironmentMember policies to enable SSM session data channels.
Security assessment
The change documents new permissions required for SSM session functionality but does not indicate a prior security vulnerability. This updates security-related policy documentation.
Diff
diff --git a/cloud9/latest/user-guide/security-iam.md b/cloud9/latest/user-guide/security-iam.md index 7644964dc..fb494c5f7 100644 --- a//cloud9/latest/user-guide/security-iam.md +++ b//cloud9/latest/user-guide/security-iam.md @@ -553,63 +553 @@ This policy includes the following permissions. -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloud9:*", - "iam:GetUser", - "iam:ListUsers", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeRouteTables" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "cloud9.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ssm:StartSession", - "ssm:GetConnectionStatus" - ], - "Resource": "arn:aws:ec2:*:*:instance/*", - "Condition": { - "StringLike": { - "ssm:resourceTag/aws:cloud9:environment": "*" - }, - "StringEquals": { - "aws:CalledViaFirst": "cloud9.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ssm:StartSession" - ], - "Resource": [ - "arn:aws:ssm:*:*:document/*" - ] - } - ] - } - +To view the permissions for this policy, see [AWSCloud9Administrator](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloud9Administrator.html) in the _AWS Managed Policy Reference_. @@ -638,104 +576 @@ This policy includes the following permissions. -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloud9:UpdateUserSettings", - "cloud9:GetUserSettings", - "iam:GetUser", - "iam:ListUsers", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeRouteTables" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cloud9:CreateEnvironmentEC2", - "cloud9:CreateEnvironmentSSH" - ], - "Resource": "*", - "Condition": { - "Null": { - "cloud9:OwnerArn": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "cloud9:GetUserPublicKey" - ], - "Resource": "*", - "Condition": { - "Null": { - "cloud9:UserArn": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "cloud9:DescribeEnvironmentMemberships" - ], - "Resource": [ - "*" - ], - "Condition": { - "Null": { - "cloud9:UserArn": "true", - "cloud9:EnvironmentId": "true" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "cloud9.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ssm:StartSession", - "ssm:GetConnectionStatus" - ], - "Resource": "arn:aws:ec2:*:*:instance/*", - "Condition": { - "StringLike": { - "ssm:resourceTag/aws:cloud9:environment": "*" - }, - "StringEquals": { - "aws:CalledViaFirst": "cloud9.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ssm:StartSession" - ], - "Resource": [ - "arn:aws:ssm:*:*:document/*" - ] - } - ] - } - +To view the permissions for this policy, see [AWSCloud9User](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloud9User.html) in the _AWS Managed Policy Reference_. @@ -762,63 +597 @@ This policy includes the following permissions: -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloud9:GetUserSettings", - "cloud9:UpdateUserSettings", - "iam:GetUser", - "iam:ListUsers" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cloud9:DescribeEnvironmentMemberships"